basic: Fix capability_ambient_set_apply for kernels < 4.3

systemd/systemd#14133 made capability_ambient_set_apply() acquire capabilities that were explicitly asked for and drop all others. This change means the function is called even with an empty capability set, opening up a code path for users without ambient capabilities to call this function. This function will error with EINVAL out on kernels < 4.3 because PR_CAP_AMBIENT is not understood. This turns capability_ambient_set_apply() into a noop for kernels < 4.3 Fixes systemd/systemd#15225 (cherry picked from commit 7ea4392)
systemd · Apr 1, 2020 · 1a2f596 · 1a2f596
1 parent e4b7c40
commit 1a2f596
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/src/basic/capability-util.c b/src/basic/capability-util.c
@@ -107,6 +107,10 @@ int capability_ambient_set_apply(uint64_t set, bool also_inherit) {
         unsigned long i;
         int r;
 
+        /* Check that we can use PR_CAP_AMBIENT or quit early. */
+        if (!ambient_capabilities_supported())
+                return 0;
+
         /* Add the capabilities to the ambient set. */
 
         if (also_inherit) {