+
+int drop_privileges(uid_t uid, gid_t gid, uint64_t keep_capabilities) {
+
+ _cleanup_cap_free_ cap_t d = NULL;
+ int r;
+
+ /* Unfortunately we cannot leave privilege dropping to PID 1
+ * here, since we want to run as user but want to keep some
+ * capabilities. Since file capabilities have been introduced
+ * this cannot be done across exec() anymore, unless our
+ * binary has the capability configured in the file system,
+ * which we want to avoid. */
+
+ if (setresgid(gid, gid, gid) < 0) {
+ log_error("Failed change group ID: %m");
+ return -errno;
+ }
+
+ if (setgroups(0, NULL) < 0) {
+ log_error("Failed to drop auxiliary groups list: %m");
+ return -errno;
+ }
+
+ if (prctl(PR_SET_KEEPCAPS, 1) < 0) {
+ log_error("Failed to enable keep capabilities flag: %m");
+ return -errno;
+ }
+
+ r = setresuid(uid, uid, uid);
+ if (r < 0) {
+ log_error("Failed change user ID: %m");
+ return -errno;
+ }
+
+ if (prctl(PR_SET_KEEPCAPS, 0) < 0) {
+ log_error("Failed to disable keep capabilities flag: %m");
+ return -errno;
+ }
+
+ r = capability_bounding_set_drop(~keep_capabilities, true);
+ if (r < 0) {
+ log_error("Failed to drop capabilities: %s", strerror(-r));
+ return r;
+ }
+
+ d = cap_init();
+ if (!d)
+ return log_oom();
+
+ if (keep_capabilities) {
+ cap_value_t bits[sizeof(keep_capabilities)*8];
+ unsigned i, j = 0;
+
+ for (i = 0; i < sizeof(keep_capabilities)*8; i++)
+ if (keep_capabilities & (1ULL << i))
+ bits[j++] = i;
+
+ if (cap_set_flag(d, CAP_EFFECTIVE, j, bits, CAP_SET) < 0 ||
+ cap_set_flag(d, CAP_PERMITTED, j, bits, CAP_SET) < 0) {
+ log_error("Failed to enable capabilities bits: %m");
+ return -errno;
+ }
+ }
+
+ if (cap_set_proc(d) < 0) {
+ log_error("Failed to increase capabilities: %m");
+ return -errno;
+ }
+
+ return 0;
+}