From 0acf4dfef5746be4cc10a9b8de06c12e4cd4f6d4 Mon Sep 17 00:00:00 2001 From: Mike Yuan Date: Sat, 13 Jul 2024 22:27:07 +0200 Subject: [PATCH] core/main: merge second RUNTIME_SCOPE_SYSTEM block into switch above --- src/core/main.c | 57 +++++++++++++++++++++++-------------------------- 1 file changed, 27 insertions(+), 30 deletions(-) diff --git a/src/core/main.c b/src/core/main.c index e4d9cac547c..1a25372842f 100644 --- a/src/core/main.c +++ b/src/core/main.c @@ -2392,6 +2392,33 @@ static int initialize_runtime( if (r < 0) log_warning_errno(r, "Failed to set watchdog device to %s, ignoring: %m", arg_watchdog_device); + if (!cap_test_all(arg_capability_bounding_set)) { + r = capability_bounding_set_drop_usermode(arg_capability_bounding_set); + if (r < 0) { + *ret_error_message = "Failed to drop capability bounding set of usermode helpers"; + return log_struct_errno(LOG_EMERG, r, + LOG_MESSAGE("Failed to drop capability bounding set of usermode helpers: %m"), + "MESSAGE_ID=" SD_MESSAGE_CORE_CAPABILITY_BOUNDING_USER_STR); + } + + r = capability_bounding_set_drop(arg_capability_bounding_set, true); + if (r < 0) { + *ret_error_message = "Failed to drop capability bounding set"; + return log_struct_errno(LOG_EMERG, r, + LOG_MESSAGE("Failed to drop capability bounding set: %m"), + "MESSAGE_ID=" SD_MESSAGE_CORE_CAPABILITY_BOUNDING_STR); + } + } + + if (arg_no_new_privs) { + if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0) { + *ret_error_message = "Failed to disable new privileges"; + return log_struct_errno(LOG_EMERG, errno, + LOG_MESSAGE("Failed to disable new privileges: %m"), + "MESSAGE_ID=" SD_MESSAGE_CORE_DISABLE_PRIVILEGES_STR); + } + } + break; case RUNTIME_SCOPE_USER: { @@ -2424,36 +2451,6 @@ static int initialize_runtime( if (prctl(PR_SET_TIMERSLACK, arg_timer_slack_nsec) < 0) log_warning_errno(errno, "Failed to adjust timer slack, ignoring: %m"); - if (arg_runtime_scope == RUNTIME_SCOPE_SYSTEM) { - - if (!cap_test_all(arg_capability_bounding_set)) { - r = capability_bounding_set_drop_usermode(arg_capability_bounding_set); - if (r < 0) { - *ret_error_message = "Failed to drop capability bounding set of usermode helpers"; - return log_struct_errno(LOG_EMERG, r, - LOG_MESSAGE("Failed to drop capability bounding set of usermode helpers: %m"), - "MESSAGE_ID=" SD_MESSAGE_CORE_CAPABILITY_BOUNDING_USER_STR); - } - - r = capability_bounding_set_drop(arg_capability_bounding_set, true); - if (r < 0) { - *ret_error_message = "Failed to drop capability bounding set"; - return log_struct_errno(LOG_EMERG, r, - LOG_MESSAGE("Failed to drop capability bounding set: %m"), - "MESSAGE_ID=" SD_MESSAGE_CORE_CAPABILITY_BOUNDING_STR); - } - } - - if (arg_no_new_privs) { - if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0) { - *ret_error_message = "Failed to disable new privileges"; - return log_struct_errno(LOG_EMERG, errno, - LOG_MESSAGE("Failed to disable new privileges: %m"), - "MESSAGE_ID=" SD_MESSAGE_CORE_DISABLE_PRIVILEGES_STR); - } - } - } - if (arg_syscall_archs) { r = enforce_syscall_archs(arg_syscall_archs); if (r < 0) { -- 2.47.3