diff options
| author | Lennart Poettering <lennart@poettering.net> | 2024-12-12 13:42:12 +0100 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2024-12-17 17:34:46 +0100 |
| commit | 00a415fc8f9e3469549a56d29f448b8cf14b0598 (patch) | |
| tree | 0c6a417fce49ac21aab82a965e046c6c29548130 /src/nspawn | |
| parent | machine: introduce io.systemd.Machine.{MapFrom, MapTo} methods (#35064) (diff) | |
| download | systemd-00a415fc8f9e3469549a56d29f448b8cf14b0598.tar.xz systemd-00a415fc8f9e3469549a56d29f448b8cf14b0598.zip | |
tree-wide: remove support for kernels lacking ambient caps
Let's bump the kernel baseline a bit to 4.3 and thus require ambient
caps.
This allows us to remove support for a variety of special casing, most
importantly the ExecStart=!! hack.
Diffstat (limited to 'src/nspawn')
| -rw-r--r-- | src/nspawn/nspawn.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c index 6f90f2f418..ec3bb40c3d 100644 --- a/src/nspawn/nspawn.c +++ b/src/nspawn/nspawn.c @@ -2811,7 +2811,7 @@ static int drop_capabilities(uid_t uid) { if (q.permitted == UINT64_MAX) q.permitted = uid == 0 ? q.bounding : arg_caps_ambient; - if (q.ambient == UINT64_MAX && ambient_capabilities_supported()) + if (q.ambient == UINT64_MAX) q.ambient = arg_caps_ambient; if (capability_quintet_mangle(&q)) @@ -2823,7 +2823,7 @@ static int drop_capabilities(uid_t uid) { .effective = uid == 0 ? arg_caps_retain : 0, .inheritable = uid == 0 ? arg_caps_retain : arg_caps_ambient, .permitted = uid == 0 ? arg_caps_retain : arg_caps_ambient, - .ambient = ambient_capabilities_supported() ? arg_caps_ambient : UINT64_MAX, + .ambient = arg_caps_ambient, }; /* If we're not using OCI, proceed with mangled capabilities (so we don't error out) |