From f49b7404b2a49efb8b76afea27f355cade3da6dc Mon Sep 17 00:00:00 2001
From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Mon, 17 Mar 2025 12:26:46 +0100
Subject: [PATCH] capability-util: Ignore unknown capabilities instead of
 aborting

capability_ambient_set_apply() can be called with capability sets
containing unknown capabilities. Let's not crash when this is the
case but instead ignore the unknown capabilities.

This fixes a crash when running the following command:

"systemd-run -p "AmbientCapabilities=~" --wait --pipe id"

Fixes d5e12dc75e0e356c62e514e9c347efb200fe60e0
---
 src/basic/capability-util.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/basic/capability-util.c b/src/basic/capability-util.c
index 11d7e95cb65..0b544ea64a5 100644
--- a/src/basic/capability-util.c
+++ b/src/basic/capability-util.c
@@ -114,8 +114,9 @@ int capability_ambient_set_apply(uint64_t set, bool also_inherit) {
         int r;
 
         /* Remove capabilities requested in ambient set, but not in the bounding set */
-        BIT_FOREACH(i, set) {
-                assert((unsigned) i <= cap_last_cap());
+        for (unsigned i = 0; i <= cap_last_cap(); i++) {
+                if (!BIT_SET(set, i))
+                        continue;
 
                 if (prctl(PR_CAPBSET_READ, (unsigned long) i) != 1) {
                         log_debug("Ambient capability %s requested but missing from bounding set, suppressing automatically.",
-- 
2.47.3