From: Mike Yuan <me@yhndnzj.com>
Date: Sat, 13 Jul 2024 20:36:22 +0000 (+0200)
Subject: core/main: move capability_ambient_set_apply() to initialize_runtime()
X-Git-Tag: v257-rc1~905^2~1
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=2bff236e70af81adc552df7ce20bbc4e196f32cc;p=thirdparty%2Fsystemd.git

core/main: move capability_ambient_set_apply() to initialize_runtime()

This is preparation for (user) manager, and we apply capability
settings for the system manager in initialize_runtime() too.
---

diff --git a/src/core/main.c b/src/core/main.c
index 658ebc68b56..96cad30d654 100644
--- a/src/core/main.c
+++ b/src/core/main.c
@@ -2444,6 +2444,11 @@ static int initialize_runtime(
                                 log_warning_errno(r, "Failed to copy os-release for propagation, ignoring: %m");
                 }
 
+                /* Clear ambient capabilities, so services do not inherit them implicitly. Dropping them does
+                 * not affect the permitted and effective sets which are important for the manager itself to
+                 * operate. */
+                (void) capability_ambient_set_apply(0, /* also_inherit= */ false);
+
                 break;
         }
 
@@ -3128,11 +3133,6 @@ int main(int argc, char *argv[]) {
                 /* clear the kernel timestamp, because we are not PID 1 */
                 kernel_timestamp = DUAL_TIMESTAMP_NULL;
 
-                /* Clear ambient capabilities, so services do not inherit them implicitly. Dropping them does
-                 * not affect the permitted and effective sets which are important for the manager itself to
-                 * operate. */
-                capability_ambient_set_apply(0, /* also_inherit= */ false);
-
                 if (mac_init() < 0) {
                         error_message = "Failed to initialize MAC support";
                         goto finish;