core/main: move capability_ambient_set_apply() to initialize_runtime()

This is preparation for (user) manager, and we apply capability
settings for the system manager in initialize_runtime() too.

diff --git a/src/core/main.c b/src/core/main.c
index 658ebc68b5670273531717d590e4288fbb992b6a..96cad30d65471d625f2b3119f6d33ab3cbc25fc3 100644 (file)
--- a/src/core/main.c
+++ b/src/core/main.c
@@ -2444,6 +2444,11 @@ static int initialize_runtime(
                                 log_warning_errno(r, "Failed to copy os-release for propagation, ignoring: %m");
                 }
 
+                /* Clear ambient capabilities, so services do not inherit them implicitly. Dropping them does
+                 * not affect the permitted and effective sets which are important for the manager itself to
+                 * operate. */
+                (void) capability_ambient_set_apply(0, /* also_inherit= */ false);
+
                 break;
         }
 
@@ -3128,11 +3133,6 @@ int main(int argc, char *argv[]) {
                 /* clear the kernel timestamp, because we are not PID 1 */
                 kernel_timestamp = DUAL_TIMESTAMP_NULL;
 
-                /* Clear ambient capabilities, so services do not inherit them implicitly. Dropping them does
-                 * not affect the permitted and effective sets which are important for the manager itself to
-                 * operate. */
-                capability_ambient_set_apply(0, /* also_inherit= */ false);
-
                 if (mac_init() < 0) {
                         error_message = "Failed to initialize MAC support";
                         goto finish;