Only drop the capabilities from the bounding set if we are running as PID1 (#6204)

The CapabilityBoundingSet option only makes sense if we are running as
PID1.

The system.conf.d(5) manpage, already states that the CapabilityBoundingSet
option:
  Controls which capabilities to include in the capability bounding set
  for PID 1 and its children.

https://github.com/systemd/systemd/issues/6080

diff --git a/src/core/main.c b/src/core/main.c
index c2439ed1858728ba0576e156e223a764ef893c58..88e2c9250425d6741689eb1a119fda578f9aed85 100644 (file)
--- a/src/core/main.c
+++ b/src/core/main.c
@@ -1780,7 +1780,7 @@ int main(int argc, char *argv[]) {
                 if (prctl(PR_SET_TIMERSLACK, arg_timer_slack_nsec) < 0)
                         log_error_errno(errno, "Failed to adjust timer slack: %m");
 
-        if (!cap_test_all(arg_capability_bounding_set)) {
+        if (arg_system && !cap_test_all(arg_capability_bounding_set)) {
                 r = capability_bounding_set_drop_usermode(arg_capability_bounding_set);
                 if (r < 0) {
                         log_emergency_errno(r, "Failed to drop capability bounding set of usermode helpers: %m");