From a5f12ffe961afa47a3ae7f75cce3dd3e2ca37102 Mon Sep 17 00:00:00 2001
From: Loukious <24696530+Loukious@users.noreply.github.com>
Date: Fri, 27 Dec 2024 14:01:04 +0100
Subject: [PATCH] fix: reset ambient capabilities to resolve D-Bus permission
 issues

---
 kernel/core_hook.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/kernel/core_hook.c b/kernel/core_hook.c
index 009216ef..da7140ef 100644
--- a/kernel/core_hook.c
+++ b/kernel/core_hook.c
@@ -150,6 +150,10 @@ void escape_to_root(void)
 	       sizeof(cred->cap_bset));
 	memcpy(&cred->cap_ambient, &profile->capabilities.effective,
 	       sizeof(cred->cap_ambient));
+	// set ambient caps to all-zero
+	// fixes "operation not permitted" on dbus cap dropping
+	memset(&cred->cap_ambient, 0,
+			sizeof(cred->cap_ambient));
 
 	// disable seccomp
 #if defined(CONFIG_GENERIC_ENTRY) &&                                           \