core/exec-invoke: deduplicate needs_setuid with needs_sandboxing

author Mike Yuan <me@yhndnzj.com>

Thu, 20 Nov 2025 12:52:51 +0000 (13:52 +0100)

committer Mike Yuan <me@yhndnzj.com>

Sat, 22 Nov 2025 18:07:28 +0000 (19:07 +0100)
author Mike Yuan <me@yhndnzj.com>
Thu, 20 Nov 2025 12:52:51 +0000 (13:52 +0100)
committer Mike Yuan <me@yhndnzj.com>
Sat, 22 Nov 2025 18:07:28 +0000 (19:07 +0100)
diff --git a/src/core/exec-invoke.c b/src/core/exec-invoke.c

index 59808477d1c92ef7caa0b8a78585ec1791503b5f..1d4fa3756dcce0acec22751d95a18f4437ae82d2 100644 (file)
--- a/src/core/exec-invoke.c
+++ b/src/core/exec-invoke.c
@@ -5732,7 +5732,7 @@ int exec_invoke(
  
          /* We need setresuid() if the caller asked us to apply sandboxing and the command isn't explicitly
           * excepted from either whole sandboxing or just setresuid() itself. */
-        needs_setuid = (params->flags & EXEC_APPLY_SANDBOXING) && !(command->flags & (EXEC_COMMAND_FULLY_PRIVILEGED|EXEC_COMMAND_NO_SETUID));
+        needs_setuid = needs_sandboxing && !FLAGS_SET(command->flags, EXEC_COMMAND_NO_SETUID);
  
          uint64_t capability_ambient_set = context->capability_ambient_set;
author	Mike Yuan <me@yhndnzj.com>
	Thu, 20 Nov 2025 12:52:51 +0000 (13:52 +0100)
committer	Mike Yuan <me@yhndnzj.com>
	Sat, 22 Nov 2025 18:07:28 +0000 (19:07 +0100)