Revert "execute: Call capability_ambient_set_apply even if ambient set is 0"

With ambient capabilities being dropped at the start of process managers
(both system and user) as well as systemd-executor it isn't necessary
to drop them here. Moreover, at this point also the inheritable set can
be preserved. This makes it possible to assign a user session manager
inheritable capabilities which combined with file capabilites (ei sets)
of service executables enable running user services with capabilities
but only when started by the manager.

This reverts commit 943800f4e7728feb2416dd57b8c296614497b94f.

diff --git a/src/core/exec-invoke.c b/src/core/exec-invoke.c
index c7082f9e2e65d5b1a5bdcb28209e27a8374a5de3..71b5a586768a8bf04659bee0eb1b97bb47e867e1 100644 (file)
--- a/src/core/exec-invoke.c
+++ b/src/core/exec-invoke.c
@@ -5041,7 +5041,7 @@ int exec_invoke(
                  *
                  * The requested ambient capabilities are raised in the inheritable set if the second
                  * argument is true. */
-                if (!needs_ambient_hack) {
+                if (!needs_ambient_hack && capability_ambient_set != 0) {
                         r = capability_ambient_set_apply(capability_ambient_set, /* also_inherit= */ true);
                         if (r < 0) {
                                 *exit_status = EXIT_CAPABILITIES;