From ec8927ca5940e809f0b72f530582c76f1db4f065 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Thu, 24 May 2012 04:00:56 +0200
Subject: main: add configuration option to alter capability bounding set for
 PID 1

This also ensures that caps dropped from the bounding set are also
dropped from the inheritable set, to be extra-secure. Usually that should
change very little though as the inheritable set is empty for all our uses
anyway.
---
 src/shared/capability.h | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'src/shared/capability.h')

diff --git a/src/shared/capability.h b/src/shared/capability.h
index 9f9c49cf5b..0cc5dd08aa 100644
--- a/src/shared/capability.h
+++ b/src/shared/capability.h
@@ -22,6 +22,11 @@
   along with systemd; If not, see <http://www.gnu.org/licenses/>.
 ***/
 
+#include <inttypes.h>
+#include <stdbool.h>
+
 unsigned long cap_last_cap(void);
 int have_effective_cap(int value);
+int capability_bounding_set_drop(uint64_t caps, bool right_now);
+
 #endif
-- 
cgit v1.2.3-54-g00ecf