From 31c885e9ae53f4b88a36452c4ca10643fdd0fd06 Mon Sep 17 00:00:00 2001
From: Harald Hoyer <harald@redhat.com>
Date: Fri, 30 Aug 2013 10:23:50 +0200
Subject: [PATCH] main: drop capabilities of userhelpers before ours

First drop the capabilities of the userhelpers before dropping our own,
otherwise we might not be allowed to drop the capabilities of the
userhelpers. Especially, if we want to drop CAP_SYS_MODULE.

Credits: Matteo Sasso
---
 src/core/main.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/core/main.c b/src/core/main.c
index 0178f1072..72bd542af 100644
--- a/src/core/main.c
+++ b/src/core/main.c
@@ -1509,14 +1509,14 @@ int main(int argc, char *argv[]) {
                         log_error("Failed to adjust timer slack: %m");
 
         if (arg_capability_bounding_set_drop) {
-                r = capability_bounding_set_drop(arg_capability_bounding_set_drop, true);
+                r = capability_bounding_set_drop_usermode(arg_capability_bounding_set_drop);
                 if (r < 0) {
-                        log_error("Failed to drop capability bounding set: %s", strerror(-r));
+                        log_error("Failed to drop capability bounding set of usermode helpers: %s", strerror(-r));
                         goto finish;
                 }
-                r = capability_bounding_set_drop_usermode(arg_capability_bounding_set_drop);
+                r = capability_bounding_set_drop(arg_capability_bounding_set_drop, true);
                 if (r < 0) {
-                        log_error("Failed to drop capability bounding set of usermode helpers: %s", strerror(-r));
+                        log_error("Failed to drop capability bounding set: %s", strerror(-r));
                         goto finish;
                 }
         }
-- 
2.30.2