68434 – CAP_SYS_MODULE cannot be dropped at boot

Bug 68434 - CAP_SYS_MODULE cannot be dropped at boot

Summary: CAP_SYS_MODULE cannot be dropped at boot

Status:	RESOLVED FIXED

Alias:	None

Product:	systemd
Classification:	Unclassified
Component:	general (show other bugs)
Version:	unspecified
Hardware:	All Linux (All)

Importance:	medium normal
Assignee:	systemd-bugs
QA Contact:	systemd-bugs

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2013-08-22 13:20 UTC by Matteo Sasso
Modified:	2013-08-30 08:27 UTC (History)
CC List:	0 users

See Also:
i915 platform:
i915 features:

Attachments

Description Matteo Sasso 2013-08-22 13:20:37 UTC

At boot, init drops its own capabilities and usermode helpers' according to the CapabilityBoundingSet option in systemd/system.conf. Unfortunately, to modify files in /proc/sys/kernel/usermodehelper you need CAP_SYS_MODULE: if you don't include CAP_SYS_MODULE in the bounding set, boot fails with "Failed to drop capability bounding set of usermode helpers".

I think being able to drop CAP_SYS_MODULE is one of the most useful uses of that option. To fix this, capabilities should be dropped in reverse order: first those of usermodehelper, then those of systemd's init.

It should be a trivial change to main.c (just search for the error message and you'll see what I mean).

Comment 1 Harald Hoyer 2013-08-30 08:27:30 UTC

Good catch!

http://cgit.freedesktop.org/systemd/systemd/commit/?id=31c885e9ae53f4b88a36452c4ca10643fdd0fd06

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.