capability: add new ambient_capabilities_supported() helper

This new function reports whether ambient caps are available, and should
be quick because the result is cached.

diff --git a/src/basic/capability-util.c b/src/basic/capability-util.c
index fe10536a69903d00beabf1b92408f35cf7fd6035..96c2e992bdd7360b62abcc14f53e2435fa874a6d 100644 (file)
--- a/src/basic/capability-util.c
+++ b/src/basic/capability-util.c
@@ -370,3 +370,18 @@ int drop_capability(cap_value_t cv) {
 
         return 0;
 }
+
+bool ambient_capabilities_supported(void) {
+        static int cache = -1;
+
+        if (cache >= 0)
+                return cache;
+
+        /* If PR_CAP_AMBIENT returns something valid, or an unexpected error code we assume that ambient caps are
+         * available. */
+
+        cache = prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_IS_SET, CAP_KILL, 0, 0) >= 0 ||
+                !IN_SET(errno, EINVAL, EOPNOTSUPP, ENOSYS);
+
+        return cache;
+}

diff --git a/src/basic/capability-util.h b/src/basic/capability-util.h
index 35a896e229fa0ef3544fc96239030554488bf33f..3dc9429153ed93d75d37d079bf103d110b5b7240 100644 (file)
--- a/src/basic/capability-util.h
+++ b/src/basic/capability-util.h
@@ -55,3 +55,5 @@ static inline bool cap_test_all(uint64_t caps) {
         m = (UINT64_C(1) << (cap_last_cap() + 1)) - 1;
         return (caps & m) == m;
 }
+
+bool ambient_capabilities_supported(void);

diff --git a/src/test/test-capability.c b/src/test/test-capability.c
index 629bb63c81c3da7b9498f220541cdc8d602b0087..8276c75987de23f2ea10dfa28c4caafd1482c864 100644 (file)
--- a/src/test/test-capability.c
+++ b/src/test/test-capability.c
@@ -205,6 +205,8 @@ int main(int argc, char *argv[]) {
         log_parse_environment();
         log_open();
 
+        log_info("have ambient caps: %s", yes_no(ambient_capabilities_supported()));
+
         if (getuid() != 0)
                 return EXIT_TEST_SKIP;