From: Kevin Kuehler <keur@xcf.berkeley.edu>
Date: Fri, 27 Mar 2020 22:57:02 +0000 (-0700)
Subject: basic: Fix capability_ambient_set_apply for kernels < 4.3
X-Git-Tag: v246-rc1~689
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=7ea4392f1e444388caa706d6bd64fb7b30dc2903;p=thirdparty%2Fsystemd.git

basic: Fix capability_ambient_set_apply for kernels < 4.3

https://github.com/systemd/systemd/pull/14133 made
capability_ambient_set_apply() acquire capabilities that were explicitly
asked for and drop all others. This change means the function is called
even with an empty capability set, opening up a code path for users
without ambient capabilities to call this function. This function will
error with EINVAL out on kernels < 4.3 because PR_CAP_AMBIENT is not
understood. This turns capability_ambient_set_apply() into a noop for
kernels < 4.3

Fixes https://github.com/systemd/systemd/issues/15225
---

diff --git a/src/basic/capability-util.c b/src/basic/capability-util.c
index 93237646cc9..caffda62af8 100644
--- a/src/basic/capability-util.c
+++ b/src/basic/capability-util.c
@@ -107,6 +107,10 @@ int capability_ambient_set_apply(uint64_t set, bool also_inherit) {
         unsigned long i;
         int r;
 
+        /* Check that we can use PR_CAP_AMBIENT or quit early. */
+        if (!ambient_capabilities_supported())
+                return 0;
+
         /* Add the capabilities to the ambient set. */
 
         if (also_inherit) {