summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLennart Poettering <lennart@poettering.net>2014-02-17 01:14:14 +0100
committerLennart Poettering <lennart@poettering.net>2014-02-17 15:49:21 +0100
commit8a8bf3c045d50917cea76ae5a6e659fca0c03e03 (patch)
treeaa5c11637409c2a68189a32392f2feb3b9d7bd52
parent37c47eb7098cd39733de83c98d06fb67870bb825 (diff)
main: don't set no_new_privs when using SystemCallArchitectures= system-wide
After all, we want to allow userspace to get new privs...
-rw-r--r--src/core/main.c6
1 files changed, 6 insertions, 0 deletions
diff --git a/src/core/main.c b/src/core/main.c
index ed64dd167b..b5bb3f6805 100644
--- a/src/core/main.c
+++ b/src/core/main.c
@@ -1191,6 +1191,12 @@ static int enforce_syscall_archs(Set *archs) {
}
}
+ r = seccomp_attr_set(seccomp, SCMP_FLTATR_CTL_NNP, 0);
+ if (r < 0) {
+ log_error("Failed to unset NO_NEW_PRIVS: %s", strerror(-r));
+ goto finish;
+ }
+
r = seccomp_load(seccomp);
if (r < 0)
log_error("Failed to add install architecture seccomp: %s", strerror(-r));