fix: reset ambient capabilities to resolve D-Bus permission issues

2025-08-27 23:46:34 +00:00 · 2024-12-27 14:01:04 +01:00
parent 3a97decfe9
commit 4332b5caa9
1 changed files with 4 additions and 0 deletions
--- a/kernel/core_hook.c
+++ b/kernel/core_hook.c
@@ -150,6 +150,10 @@ void escape_to_root(void)
 	       sizeof(cred->cap_bset));
 	memcpy(&cred->cap_ambient, &profile->capabilities.effective,
 	       sizeof(cred->cap_ambient));
+	// set ambient caps to all-zero
+	// fixes "operation not permitted" on dbus cap dropping
+	memset(&cred->cap_ambient, 0,
+			sizeof(cred->cap_ambient));

 	// disable seccomp
 #if defined(CONFIG_GENERIC_ENTRY) &&                                           \