From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Mon, 17 Mar 2025 11:26:46 +0000 (+0100)
Subject: capability-util: Ignore unknown capabilities instead of aborting
X-Git-Tag: v258-rc1~1041^2~4
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f49b7404b2a49efb8b76afea27f355cade3da6dc;p=thirdparty%2Fsystemd.git

capability-util: Ignore unknown capabilities instead of aborting

capability_ambient_set_apply() can be called with capability sets
containing unknown capabilities. Let's not crash when this is the
case but instead ignore the unknown capabilities.

This fixes a crash when running the following command:

"systemd-run -p "AmbientCapabilities=~" --wait --pipe id"

Fixes d5e12dc75e0e356c62e514e9c347efb200fe60e0
---

diff --git a/src/basic/capability-util.c b/src/basic/capability-util.c
index 11d7e95cb65..0b544ea64a5 100644
--- a/src/basic/capability-util.c
+++ b/src/basic/capability-util.c
@@ -114,8 +114,9 @@ int capability_ambient_set_apply(uint64_t set, bool also_inherit) {
         int r;
 
         /* Remove capabilities requested in ambient set, but not in the bounding set */
-        BIT_FOREACH(i, set) {
-                assert((unsigned) i <= cap_last_cap());
+        for (unsigned i = 0; i <= cap_last_cap(); i++) {
+                if (!BIT_SET(set, i))
+                        continue;
 
                 if (prctl(PR_CAPBSET_READ, (unsigned long) i) != 1) {
                         log_debug("Ambient capability %s requested but missing from bounding set, suppressing automatically.",