basic: Fix capability_ambient_set_apply for kernels < 4.3

https://github.com/systemd/systemd/pull/14133 made capability_ambient_set_apply() acquire capabilities that were explicitly asked for and drop all others. This change means the function is called even with an empty capability set, opening up a code path for users without ambient capabilities to call this function. This function will error with EINVAL out on kernels < 4.3 because PR_CAP_AMBIENT is not understood. This turns capability_ambient_set_apply() into a noop for kernels < 4.3 Fixes https://github.com/systemd/systemd/issues/15225
author: Kevin Kuehler <keur@xcf.berkeley.edu> 2020-03-27 15:57:02 -0700
committer: Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> 2020-03-29 21:11:25 +0200
commit: 7ea4392f1e444388caa706d6bd64fb7b30dc2903 (patch)
tree: 209e32be4842a8662a82db5f02ca8b99b5ee5cdf /src/basic/capability-util.c
parent: 3e118d135b99afed85b34476c66abf6d1a3d413a (diff)
download: systemd-7ea4392f1e444388caa706d6bd64fb7b30dc2903.tar.gz
1 files changed, 4 insertions, 0 deletions
diff --git a/src/basic/capability-util.c b/src/basic/capability-util.c
index 93237646cc..caffda62af 100644
--- a/src/basic/capability-util.c
+++ b/src/basic/capability-util.c
@@ -107,6 +107,10 @@ int capability_ambient_set_apply(uint64_t set, bool also_inherit) {
         unsigned long i;
         int r;
 
+        /* Check that we can use PR_CAP_AMBIENT or quit early. */
+        if (!ambient_capabilities_supported())
+                return 0;
+
         /* Add the capabilities to the ambient set. */
 
         if (also_inherit) {
author	Kevin Kuehler <keur@xcf.berkeley.edu>	2020-03-27 15:57:02 -0700
committer	Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>	2020-03-29 21:11:25 +0200
commit	7ea4392f1e444388caa706d6bd64fb7b30dc2903 (patch)
tree	209e32be4842a8662a82db5f02ca8b99b5ee5cdf /src/basic/capability-util.c
parent	3e118d135b99afed85b34476c66abf6d1a3d413a (diff)
download	systemd-7ea4392f1e444388caa706d6bd64fb7b30dc2903.tar.gz