[systemd-devel] Add ambient capability support to execution environment config?
Lennart Poettering
lennart at poettering.net
Wed Oct 14 07:55:15 PDT 2015
On Thu, 08.10.15 13:12, Andy Lutomirski (luto at amacapital.net) wrote:
> For non-root services, getting Capabilities= and CapabilityBoundingSet= to
> do anything useful is rather tricky. Would it make sense to add
> AmbientCapabilities= to set ambient (and, implicitly, inheritable)
> capabilities, which will be available in Linux 4.3?
>
> Alternatively, there could be a boolean option to change the meaning of
> Capabilities so that it uses ambient capabilities instead of whatever it
> currently does.
I am pretty sure we should deprecate/deemphesize Capabilities=, as it
uses the weird POSIX syntax that nobody groks and is also useless. We
kind of already suggest this in the man pages, but maybe should word
this a bit stronger.
I think CapabilityBoundingSet= is OK the way it is.
Happy to take a patch that adds AmbientCapabilities= using the same
parser as CapabilityBoundingSet=. Github PRs preferred.
Lennart
--
Lennart Poettering, Red Hat
More information about the systemd-devel
mailing list