From 2bff236e70af81adc552df7ce20bbc4e196f32cc Mon Sep 17 00:00:00 2001 From: Mike Yuan Date: Sat, 13 Jul 2024 22:36:22 +0200 Subject: [PATCH] core/main: move capability_ambient_set_apply() to initialize_runtime() This is preparation for (user) manager, and we apply capability settings for the system manager in initialize_runtime() too. --- src/core/main.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/src/core/main.c b/src/core/main.c index 658ebc68b56..96cad30d654 100644 --- a/src/core/main.c +++ b/src/core/main.c @@ -2444,6 +2444,11 @@ static int initialize_runtime( log_warning_errno(r, "Failed to copy os-release for propagation, ignoring: %m"); } + /* Clear ambient capabilities, so services do not inherit them implicitly. Dropping them does + * not affect the permitted and effective sets which are important for the manager itself to + * operate. */ + (void) capability_ambient_set_apply(0, /* also_inherit= */ false); + break; } @@ -3128,11 +3133,6 @@ int main(int argc, char *argv[]) { /* clear the kernel timestamp, because we are not PID 1 */ kernel_timestamp = DUAL_TIMESTAMP_NULL; - /* Clear ambient capabilities, so services do not inherit them implicitly. Dropping them does - * not affect the permitted and effective sets which are important for the manager itself to - * operate. */ - capability_ambient_set_apply(0, /* also_inherit= */ false); - if (mac_init() < 0) { error_message = "Failed to initialize MAC support"; goto finish; -- 2.47.3