execute: Call capability_ambient_set_apply even if ambient set is 0

The function capability_ambient_set_apply() now drops capabilities not
in the capability_ambient_set(), so it is necessary to call it when
the ambient set is empty.

Fixes #13163

diff --git a/src/core/execute.c b/src/core/execute.c
index abc164ff5befb1f76536cd094c93cbdf7cf02d53..4f96d1f4102cb71bc119f85f28ebf16ab67db5f2 100644 (file)
--- a/src/core/execute.c
+++ b/src/core/execute.c
@@ -3595,8 +3595,7 @@ static int exec_child(
 
                 /* This is done before enforce_user, but ambient set
                  * does not survive over setresuid() if keep_caps is not set. */
-                if (!needs_ambient_hack &&
-                    context->capability_ambient_set != 0) {
+                if (!needs_ambient_hack) {
                         r = capability_ambient_set_apply(context->capability_ambient_set, true);
                         if (r < 0) {
                                 *exit_status = EXIT_CAPABILITIES;