X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?a=blobdiff_plain;f=src%2Fcore%2Fmain.c;h=4c3ee7d5a2e240cd1ad42f1612a271f5dfa1146d;hb=7c49259fc8f63ade6cb212a43477d7030aaaf423;hp=b66ae0e035f1e31c9c8207157ce41287cd01bcf3;hpb=bf4df7c3b6cb24918d94835cafd9dd60881c8981;p=elogind.git

diff --git a/src/core/main.c b/src/core/main.c
index b66ae0e03..4c3ee7d5a 100644
--- a/src/core/main.c
+++ b/src/core/main.c
@@ -50,6 +50,7 @@
 #include "watchdog.h"
 #include "path-util.h"
 #include "switch-root.h"
+#include "capability.h"
 
 #include "mount-setup.h"
 #include "loopback-setup.h"
@@ -88,6 +89,7 @@ static ExecOutput arg_default_std_error = EXEC_OUTPUT_INHERIT;
 static usec_t arg_runtime_watchdog = 0;
 static usec_t arg_shutdown_watchdog = 10 * USEC_PER_MINUTE;
 static struct rlimit *arg_default_rlimit[RLIMIT_NLIMITS] = {};
+static uint64_t arg_capability_bounding_set_drop = 0;
 
 static FILE* serialization = NULL;
 
@@ -678,6 +680,7 @@ static int parse_config_file(void) {
                 { "Manager", "JoinControllers",       config_parse_join_controllers, 0, &arg_join_controllers },
                 { "Manager", "RuntimeWatchdogSec",    config_parse_usec,         0, &arg_runtime_watchdog    },
                 { "Manager", "ShutdownWatchdogSec",   config_parse_usec,         0, &arg_shutdown_watchdog   },
+                { "Manager", "CapabilityBoundingSet", config_parse_bounding_set, 0, &arg_capability_bounding_set_drop },
                 { "Manager", "DefaultLimitCPU",       config_parse_limit,        0, &arg_default_rlimit[RLIMIT_CPU]},
                 { "Manager", "DefaultLimitFSIZE",     config_parse_limit,        0, &arg_default_rlimit[RLIMIT_FSIZE]},
                 { "Manager", "DefaultLimitDATA",      config_parse_limit,        0, &arg_default_rlimit[RLIMIT_DATA]},
@@ -1484,6 +1487,19 @@ int main(int argc, char *argv[]) {
         if (arg_running_as == MANAGER_SYSTEM && arg_runtime_watchdog > 0)
                 watchdog_set_timeout(&arg_runtime_watchdog);
 
+        if (arg_capability_bounding_set_drop) {
+                r = capability_bounding_set_drop(arg_capability_bounding_set_drop, true);
+                if (r < 0) {
+                        log_error("Failed to drop capability bounding set: %s", strerror(-r));
+                        goto finish;
+                }
+                r = capability_bounding_set_drop_usermode(arg_capability_bounding_set_drop);
+                if (r < 0) {
+                        log_error("Failed to drop capability bounding set of usermode helpers: %s", strerror(-r));
+                        goto finish;
+                }
+        }
+
         r = manager_new(arg_running_as, &m);
         if (r < 0) {
                 log_error("Failed to allocate manager object: %s", strerror(-r));
@@ -1749,12 +1765,15 @@ finish:
                 args[0] = "/sbin/init";
                 execv(args[0], (char* const*) args);
 
-                log_warning("Failed to execute /sbin/init, trying fallback: %m");
+                if (errno == ENOENT) {
+                        log_warning("No /sbin/init, trying fallback");
 
-                args[0] = "/bin/sh";
-                args[1] = NULL;
-                execv(args[0], (char* const*) args);
-                log_error("Failed to execute /bin/sh, giving up: %m");
+                        args[0] = "/bin/sh";
+                        args[1] = NULL;
+                        execv(args[0], (char* const*) args);
+                        log_error("Failed to execute /bin/sh, giving up: %m");
+                } else
+                        log_warning("Failed to execute /sbin/init, giving up: %m");
         }
 
         if (serialization)