capability-util: Ignore unknown capabilities instead of aborting

capability_ambient_set_apply() can be called with capability sets
containing unknown capabilities. Let's not crash when this is the
case but instead ignore the unknown capabilities.

This fixes a crash when running the following command:

"systemd-run -p "AmbientCapabilities=~" --wait --pipe id"

Fixes d5e12dc75e0e356c62e514e9c347efb200fe60e0

diff --git a/src/basic/capability-util.c b/src/basic/capability-util.c
index 11d7e95cb6589ce3ba4254d2364caac17132cd2e..0b544ea64a5dbe9c34412ceab449270f537d8462 100644 (file)
--- a/src/basic/capability-util.c
+++ b/src/basic/capability-util.c
@@ -114,8 +114,9 @@ int capability_ambient_set_apply(uint64_t set, bool also_inherit) {
         int r;
 
         /* Remove capabilities requested in ambient set, but not in the bounding set */
-        BIT_FOREACH(i, set) {
-                assert((unsigned) i <= cap_last_cap());
+        for (unsigned i = 0; i <= cap_last_cap(); i++) {
+                if (!BIT_SET(set, i))
+                        continue;
 
                 if (prctl(PR_CAPBSET_READ, (unsigned long) i) != 1) {
                         log_debug("Ambient capability %s requested but missing from bounding set, suppressing automatically.",