Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

multiple CapabilityBoundingSet= not merged? #1221

Closed
rubenk opened this issue Sep 9, 2015 · 0 comments

Comments

@rubenk
Copy link
Contributor

commented Sep 9, 2015

I'm trying to confine collectd a bit.

systemd.exec(5) says, for CapabilityBoundingSet=:

This option may appear more than once in which case the bounding sets are merged

When I specify the following:

# turn this on if you use the dns or ping plugin
CapabilityBoundingSet=CAP_NET_RAW
# turn this on if you use the iptables plugin
CapabilityBoundingSet=CAP_NET_ADMIN

collectd drops all caps, whereas I would expect it to retain both CAP_NET_RAW en CAP_NET_ADMIN.

$ sudo getpcaps $(pgrep collectd)
Capabilities for `31652': =

This however works: CapabilityBoundingSet=CAP_NET_RAW CAP_NET_ADMIN:

$ sudo getpcaps $(pgrep collectd)
Capabilities for `31720': = cap_net_admin,cap_net_raw+ep

Am I understanding the documentation wrong, is the documentation wrong or is the code wrong ;) ?

Running systemd 2.26

evverx added a commit to evverx/systemd that referenced this issue Oct 27, 2015

ssahani added a commit to ssahani/systemd that referenced this issue Nov 3, 2015

ssahani added a commit to ssahani/systemd that referenced this issue Nov 3, 2015

ssahani added a commit to ssahani/systemd that referenced this issue Nov 3, 2015

whot pushed a commit to whot/systemd that referenced this issue Oct 10, 2017

core: fix CapabilityBoundingSet merging
Fixes: systemd#1221

Cherry-picked from: b9d345b
Resolves: #1409586

fdo-mirror pushed a commit to freedesktop/NetworkManager that referenced this issue May 21, 2019

service: give CAP_SYS_ADMIN for ibft/iscsiadm (rh#1371201)
systemd on rhel-7.3 has a bug with merging CapabilityBoundingSet.
systemd/systemd#1221
Thus it is all in one line.

vuvova added a commit to MariaDB/server that referenced this issue Jul 5, 2019

Workaround for systemd/systemd#1221
Put all capabilities in one CapabilityBoundingSet line,
otherwise buggy systemd sets CapabilityBoundingSet=0
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
2 participants
You can’t perform that action at this time.