diff options
author | Lennart Poettering <lennart@poettering.net> | 2014-02-17 01:14:14 +0100 |
---|---|---|
committer | Lennart Poettering <lennart@poettering.net> | 2014-02-17 15:49:21 +0100 |
commit | 8a8bf3c045d50917cea76ae5a6e659fca0c03e03 (patch) | |
tree | aa5c11637409c2a68189a32392f2feb3b9d7bd52 | |
parent | 37c47eb7098cd39733de83c98d06fb67870bb825 (diff) |
main: don't set no_new_privs when using SystemCallArchitectures= system-wide
After all, we want to allow userspace to get new privs...
-rw-r--r-- | src/core/main.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/src/core/main.c b/src/core/main.c index ed64dd167b..b5bb3f6805 100644 --- a/src/core/main.c +++ b/src/core/main.c @@ -1191,6 +1191,12 @@ static int enforce_syscall_archs(Set *archs) { } } + r = seccomp_attr_set(seccomp, SCMP_FLTATR_CTL_NNP, 0); + if (r < 0) { + log_error("Failed to unset NO_NEW_PRIVS: %s", strerror(-r)); + goto finish; + } + r = seccomp_load(seccomp); if (r < 0) log_error("Failed to add install architecture seccomp: %s", strerror(-r)); |