core: do not fail in a container if we can't use setgroups

It might be blocked through /proc/PID/setgroups
author: Giuseppe Scrivano <gscrivan@redhat.com> 2016-09-28 18:37:39 +0200
committer: Giuseppe Scrivano <gscrivan@redhat.com> 2016-10-06 11:49:00 +0200
commit: 36d854780c01d589e5da1fc6e94f46aa41f7016f (patch)
tree: 57a0d3871f1903ab5dd0a2077e4aa669dc44e36c /src/basic/capability-util.c
parent: f006b30bd5a24cb4420e0d439ebb5805b2b4c84d (diff)
1 files changed, 2 insertions, 1 deletions
diff --git a/src/basic/capability-util.c b/src/basic/capability-util.c
index d4c5bd6937..f8db6e0212 100644
--- a/src/basic/capability-util.c
+++ b/src/basic/capability-util.c
@@ -31,6 +31,7 @@
 #include "log.h"
 #include "macro.h"
 #include "parse-util.h"
+#include "user-util.h"
 #include "util.h"
 
 int have_effective_cap(int value) {
@@ -295,7 +296,7 @@ int drop_privileges(uid_t uid, gid_t gid, uint64_t keep_capabilities) {
         if (setresgid(gid, gid, gid) < 0)
                 return log_error_errno(errno, "Failed to change group ID: %m");
 
-        if (setgroups(0, NULL) < 0)
+        if (maybe_setgroups(0, NULL) < 0)
                 return log_error_errno(errno, "Failed to drop auxiliary groups list: %m");
 
         /* Ensure we keep the permitted caps across the setresuid() */
author	Giuseppe Scrivano <gscrivan@redhat.com>	2016-09-28 18:37:39 +0200
committer	Giuseppe Scrivano <gscrivan@redhat.com>	2016-10-06 11:49:00 +0200
commit	36d854780c01d589e5da1fc6e94f46aa41f7016f (patch)
tree	57a0d3871f1903ab5dd0a2077e4aa669dc44e36c /src/basic/capability-util.c
parent	f006b30bd5a24cb4420e0d439ebb5805b2b4c84d (diff)