main: add configuration option to alter capability bounding set for PID 1

This also ensures that caps dropped from the bounding set are also dropped from the inheritable set, to be extra-secure. Usually that should change very little though as the inheritable set is empty for all our uses anyway.
author: Lennart Poettering <lennart@poettering.net> 2012-05-24 04:00:56 +0200
committer: Lennart Poettering <lennart@poettering.net> 2012-05-24 04:00:56 +0200
commit: ec8927ca5940e809f0b72f530582c76f1db4f065 (patch)
tree: b230d2458088a82b879afc39a2752d5fc674974e /src/shared/capability.h
parent: e056b01d8acea7fc06d52ef91d227d744faf5259 (diff)
1 files changed, 5 insertions, 0 deletions
diff --git a/src/shared/capability.h b/src/shared/capability.h
index 9f9c49cf5b..0cc5dd08aa 100644
--- a/src/shared/capability.h
+++ b/src/shared/capability.h
@@ -22,6 +22,11 @@
   along with systemd; If not, see <http://www.gnu.org/licenses/>.
 ***/
 
+#include <inttypes.h>
+#include <stdbool.h>
+
 unsigned long cap_last_cap(void);
 int have_effective_cap(int value);
+int capability_bounding_set_drop(uint64_t caps, bool right_now);
+
 #endif
author	Lennart Poettering <lennart@poettering.net>	2012-05-24 04:00:56 +0200
committer	Lennart Poettering <lennart@poettering.net>	2012-05-24 04:00:56 +0200
commit	ec8927ca5940e809f0b72f530582c76f1db4f065 (patch)
tree	b230d2458088a82b879afc39a2752d5fc674974e /src/shared/capability.h
parent	e056b01d8acea7fc06d52ef91d227d744faf5259 (diff)