From: Kevin Kuehler <keur@xcf.berkeley.edu>
Date: Tue, 26 Nov 2019 19:20:14 +0000 (-0800)
Subject: execute: Call capability_ambient_set_apply even if ambient set is 0
X-Git-Tag: v245-rc1~319^2
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F14133%2Fhead;p=thirdparty%2Fsystemd.git

execute: Call capability_ambient_set_apply even if ambient set is 0

The function capability_ambient_set_apply() now drops capabilities not
in the capability_ambient_set(), so it is necessary to call it when
the ambient set is empty.

Fixes #13163
---

diff --git a/src/core/execute.c b/src/core/execute.c
index abc164ff5be..4f96d1f4102 100644
--- a/src/core/execute.c
+++ b/src/core/execute.c
@@ -3595,8 +3595,7 @@ static int exec_child(
 
                 /* This is done before enforce_user, but ambient set
                  * does not survive over setresuid() if keep_caps is not set. */
-                if (!needs_ambient_hack &&
-                    context->capability_ambient_set != 0) {
+                if (!needs_ambient_hack) {
                         r = capability_ambient_set_apply(context->capability_ambient_set, true);
                         if (r < 0) {
                                 *exit_status = EXIT_CAPABILITIES;