From: Luca Boccassi <bluca@debian.org>
Date: Fri, 1 Dec 2023 01:44:54 +0000 (+0000)
Subject: core: do not drop CAP_SETUID if it is in AmbientCapabilities=
X-Git-Tag: v255-rc4~15
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f4a35f2ad961bae9edc59a28964d2917d5a37632;p=thirdparty%2Fsystemd.git

core: do not drop CAP_SETUID if it is in AmbientCapabilities=

Follow-up for 24832d10b604848cf46624bb439c7fac27f3ce3f
---

diff --git a/src/core/exec-invoke.c b/src/core/exec-invoke.c
index 1e08296b466..0741ce3c3b8 100644
--- a/src/core/exec-invoke.c
+++ b/src/core/exec-invoke.c
@@ -4918,10 +4918,12 @@ int exec_invoke(
                         }
 
                         if (keep_seccomp_privileges) {
-                                r = drop_capability(CAP_SETUID);
-                                if (r < 0) {
-                                        *exit_status = EXIT_USER;
-                                        return log_exec_error_errno(context, params, r, "Failed to drop CAP_SETUID: %m");
+                                if (!FLAGS_SET(capability_ambient_set, (UINT64_C(1) << CAP_SETUID))) {
+                                        r = drop_capability(CAP_SETUID);
+                                        if (r < 0) {
+                                                *exit_status = EXIT_USER;
+                                                return log_exec_error_errno(context, params, r, "Failed to drop CAP_SETUID: %m");
+                                        }
                                 }
 
                                 r = keep_capability(CAP_SYS_ADMIN);
diff --git a/src/test/test-execute.c b/src/test/test-execute.c
index 64779d0cf2d..9a03e291a03 100644
--- a/src/test/test-execute.c
+++ b/src/test/test-execute.c
@@ -1070,6 +1070,9 @@ static void test_exec_ambientcapabilities(Manager *m) {
         test(m, "exec-ambientcapabilities.service", 0, CLD_EXITED);
         test(m, "exec-ambientcapabilities-merge.service", 0, CLD_EXITED);
 
+        if (have_effective_cap(CAP_SETUID) > 0)
+                test(m, "exec-ambientcapabilities-dynuser.service", can_unshare ? 0 : EXIT_NAMESPACE, CLD_EXITED);
+
         if (!check_nobody_user_and_group()) {
                 log_notice("nobody user/group is not synthesized or may conflict to other entries, skipping remaining tests in %s", __func__);
                 return;
diff --git a/test/test-execute/exec-ambientcapabilities-dynuser.service b/test/test-execute/exec-ambientcapabilities-dynuser.service
new file mode 100644
index 00000000000..560628ec9a3
--- /dev/null
+++ b/test/test-execute/exec-ambientcapabilities-dynuser.service
@@ -0,0 +1,10 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test for AmbientCapabilities (dynamic user)
+
+[Service]
+ExecStart=/bin/sh -x -c 'c=$$(grep "CapAmb:" /proc/self/status); test "$$c" = "CapAmb:	0000000000002081"'
+Type=oneshot
+AmbientCapabilities=CAP_CHOWN CAP_SETUID CAP_NET_RAW
+DynamicUser=yes
+PrivateUsers=yes