core/main: merge second RUNTIME_SCOPE_SYSTEM block into switch above

author Mike Yuan <me@yhndnzj.com>

Sat, 13 Jul 2024 20:27:07 +0000 (22:27 +0200)

committer Mike Yuan <me@yhndnzj.com>

Sat, 13 Jul 2024 20:58:23 +0000 (22:58 +0200)
author Mike Yuan <me@yhndnzj.com>
Sat, 13 Jul 2024 20:27:07 +0000 (22:27 +0200)
committer Mike Yuan <me@yhndnzj.com>
Sat, 13 Jul 2024 20:58:23 +0000 (22:58 +0200)
diff --git a/src/core/main.c b/src/core/main.c

index e4d9cac547cc2c44850804e6fddb3d9799e0d7be..1a25372842f34d520bcf0ac56674639e17f849f5 100644 (file)
--- a/src/core/main.c
+++ b/src/core/main.c
@@ -2392,6 +2392,33 @@ static int initialize_runtime(
                  if (r < 0)
                          log_warning_errno(r, "Failed to set watchdog device to %s, ignoring: %m", arg_watchdog_device);
  
+                if (!cap_test_all(arg_capability_bounding_set)) {
+                        r = capability_bounding_set_drop_usermode(arg_capability_bounding_set);
+                        if (r < 0) {
+                                *ret_error_message = "Failed to drop capability bounding set of usermode helpers";
+                                return log_struct_errno(LOG_EMERG, r,
+                                                        LOG_MESSAGE("Failed to drop capability bounding set of usermode helpers: %m"),
+                                                        "MESSAGE_ID=" SD_MESSAGE_CORE_CAPABILITY_BOUNDING_USER_STR);
+                        }
+
+                        r = capability_bounding_set_drop(arg_capability_bounding_set, true);
+                        if (r < 0) {
+                                *ret_error_message = "Failed to drop capability bounding set";
+                                return log_struct_errno(LOG_EMERG, r,
+                                                        LOG_MESSAGE("Failed to drop capability bounding set: %m"),
+                                                        "MESSAGE_ID=" SD_MESSAGE_CORE_CAPABILITY_BOUNDING_STR);
+                        }
+                }
+
+                if (arg_no_new_privs) {
+                        if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0) {
+                                *ret_error_message = "Failed to disable new privileges";
+                                return log_struct_errno(LOG_EMERG, errno,
+                                                        LOG_MESSAGE("Failed to disable new privileges: %m"),
+                                                        "MESSAGE_ID=" SD_MESSAGE_CORE_DISABLE_PRIVILEGES_STR);
+                        }
+                }
+
                  break;
  
          case RUNTIME_SCOPE_USER: {
@@ -2424,36 +2451,6 @@ static int initialize_runtime(
                  if (prctl(PR_SET_TIMERSLACK, arg_timer_slack_nsec) < 0)
                          log_warning_errno(errno, "Failed to adjust timer slack, ignoring: %m");
  
-        if (arg_runtime_scope == RUNTIME_SCOPE_SYSTEM) {
-
-                if (!cap_test_all(arg_capability_bounding_set)) {
-                        r = capability_bounding_set_drop_usermode(arg_capability_bounding_set);
-                        if (r < 0) {
-                                *ret_error_message = "Failed to drop capability bounding set of usermode helpers";
-                                return log_struct_errno(LOG_EMERG, r,
-                                                        LOG_MESSAGE("Failed to drop capability bounding set of usermode helpers: %m"),
-                                                        "MESSAGE_ID=" SD_MESSAGE_CORE_CAPABILITY_BOUNDING_USER_STR);
-                        }
-
-                        r = capability_bounding_set_drop(arg_capability_bounding_set, true);
-                        if (r < 0) {
-                                *ret_error_message = "Failed to drop capability bounding set";
-                                return log_struct_errno(LOG_EMERG, r,
-                                                        LOG_MESSAGE("Failed to drop capability bounding set: %m"),
-                                                        "MESSAGE_ID=" SD_MESSAGE_CORE_CAPABILITY_BOUNDING_STR);
-                        }
-                }
-
-                if (arg_no_new_privs) {
-                        if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0) {
-                                *ret_error_message = "Failed to disable new privileges";
-                                return log_struct_errno(LOG_EMERG, errno,
-                                                        LOG_MESSAGE("Failed to disable new privileges: %m"),
-                                                        "MESSAGE_ID=" SD_MESSAGE_CORE_DISABLE_PRIVILEGES_STR);
-                        }
-                }
-        }
-
          if (arg_syscall_archs) {
                  r = enforce_syscall_archs(arg_syscall_archs);
                  if (r < 0) {
author	Mike Yuan <me@yhndnzj.com>
	Sat, 13 Jul 2024 20:27:07 +0000 (22:27 +0200)
committer	Mike Yuan <me@yhndnzj.com>
	Sat, 13 Jul 2024 20:58:23 +0000 (22:58 +0200)