core: do not drop CAP_SETUID if it is in AmbientCapabilities=

author Luca Boccassi <bluca@debian.org>

Fri, 1 Dec 2023 01:44:54 +0000 (01:44 +0000)

committer Luca Boccassi <luca.boccassi@gmail.com>

Fri, 1 Dec 2023 10:48:14 +0000 (10:48 +0000)
author Luca Boccassi <bluca@debian.org>
Fri, 1 Dec 2023 01:44:54 +0000 (01:44 +0000)
committer Luca Boccassi <luca.boccassi@gmail.com>
Fri, 1 Dec 2023 10:48:14 +0000 (10:48 +0000)
diff --git a/src/core/exec-invoke.c b/src/core/exec-invoke.c

index 1e08296b4669ac3317f141d2ed3cf01181cf2137..0741ce3c3b8ea360c7003cf87b079b3735a4ea41 100644 (file)
--- a/src/core/exec-invoke.c
+++ b/src/core/exec-invoke.c
@@ -4918,10 +4918,12 @@ int exec_invoke(
                          }
  
                          if (keep_seccomp_privileges) {
-                                r = drop_capability(CAP_SETUID);
-                                if (r < 0) {
-                                        *exit_status = EXIT_USER;
-                                        return log_exec_error_errno(context, params, r, "Failed to drop CAP_SETUID: %m");
+                                if (!FLAGS_SET(capability_ambient_set, (UINT64_C(1) << CAP_SETUID))) {
+                                        r = drop_capability(CAP_SETUID);
+                                        if (r < 0) {
+                                                *exit_status = EXIT_USER;
+                                                return log_exec_error_errno(context, params, r, "Failed to drop CAP_SETUID: %m");
+                                        }
                                  }
  
                                  r = keep_capability(CAP_SYS_ADMIN);
diff --git a/src/test/test-execute.c b/src/test/test-execute.c

index 64779d0cf2de091045a5aadffad9fd90a1d1dfa1..9a03e291a03f6ec21710b587e9089c49e3337087 100644 (file)
--- a/src/test/test-execute.c
+++ b/src/test/test-execute.c
@@ -1070,6 +1070,9 @@ static void test_exec_ambientcapabilities(Manager *m) {
          test(m, "exec-ambientcapabilities.service", 0, CLD_EXITED);
          test(m, "exec-ambientcapabilities-merge.service", 0, CLD_EXITED);
  
+        if (have_effective_cap(CAP_SETUID) > 0)
+                test(m, "exec-ambientcapabilities-dynuser.service", can_unshare ? 0 : EXIT_NAMESPACE, CLD_EXITED);
+
          if (!check_nobody_user_and_group()) {
                  log_notice("nobody user/group is not synthesized or may conflict to other entries, skipping remaining tests in %s", __func__);
                  return;
diff --git a/test/test-execute/exec-ambientcapabilities-dynuser.service b/test/test-execute/exec-ambientcapabilities-dynuser.service

new file mode 100644 (file)

index 0000000..560628e
--- /dev/null
+++ b/test/test-execute/exec-ambientcapabilities-dynuser.service
@@ -0,0 +1,10 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test for AmbientCapabilities (dynamic user)
+
+[Service]
+ExecStart=/bin/sh -x -c 'c=$$(grep "CapAmb:" /proc/self/status); test "$$c" = "CapAmb: 0000000000002081"'
+Type=oneshot
+AmbientCapabilities=CAP_CHOWN CAP_SETUID CAP_NET_RAW
+DynamicUser=yes
+PrivateUsers=yes
author	Luca Boccassi <bluca@debian.org>
	Fri, 1 Dec 2023 01:44:54 +0000 (01:44 +0000)
committer	Luca Boccassi <luca.boccassi@gmail.com>
	Fri, 1 Dec 2023 10:48:14 +0000 (10:48 +0000)
src/core/exec-invoke.c		patch \| blob \| blame \| history
src/test/test-execute.c		patch \| blob \| blame \| history
test/test-execute/exec-ambientcapabilities-dynuser.service	[new file with mode: 0644]	patch \| blob