diff options
| author | Djalal Harouni <tixxdz@opendz.org> | 2016-11-15 20:45:27 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2016-11-15 20:45:27 +0100 |
| commit | afc402b76a4520997a7c831a943be75e3072b301 (patch) | |
| tree | 0ebe0b88cb1c755e5cd49cb169b23f494b99a3a8 /src/core/execute.c | |
| parent | 22f1f8f24cc845dbb953535e93d69f06aa69712f (diff) | |
| parent | 73186d534b1d4a8c217cf102ffd837d8e61a7e42 (diff) | |
Merge pull request #4658 from endocode/djalal/sandbox-various-fixes-v1
core: improve the logic that implies no new privileges and documentation fixes
Diffstat (limited to 'src/core/execute.c')
| -rw-r--r-- | src/core/execute.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/src/core/execute.c b/src/core/execute.c index f666f7c6ce..04c4e511f4 100644 --- a/src/core/execute.c +++ b/src/core/execute.c @@ -2201,7 +2201,8 @@ static bool context_has_no_new_privileges(const ExecContext *c) { if (have_effective_cap(CAP_SYS_ADMIN)) /* if we are privileged, we don't need NNP */ return false; - return context_has_address_families(c) || /* we need NNP if we have any form of seccomp and are unprivileged */ + /* We need NNP if we have any form of seccomp and are unprivileged */ + return context_has_address_families(c) || c->memory_deny_write_execute || c->restrict_realtime || exec_context_restrict_namespaces_set(c) || |