core: drop CAP_MKNOD when PrivateDevices= is set

author: Lennart Poettering <lennart@poettering.net> 2014-03-18 17:58:19 +0100
committer: Lennart Poettering <lennart@poettering.net> 2014-03-18 17:58:19 +0100
commit: f1660f96f59dad860d39f148c3a747050d112763 (patch)
tree: 6a56a7202c056b889acdd51fe3eccc0d155dceae /src/core/unit.c
parent: 45aee6d67ad62a651720f22e67273a692014f948 (diff)
1 files changed, 3 insertions, 0 deletions
diff --git a/src/core/unit.c b/src/core/unit.c
index 4fb0d9caaa..20b139d31b 100644
--- a/src/core/unit.c
+++ b/src/core/unit.c
@@ -2830,6 +2830,9 @@ int unit_exec_context_patch_defaults(Unit *u, ExecContext *c) {
              !set_isempty(c->address_families)))
                 c->no_new_privileges = true;
 
+        if (c->private_devices)
+                c->capability_bounding_set_drop |= (uint64_t) 1ULL << (uint64_t) CAP_MKNOD;
+
         return 0;
 }
author	Lennart Poettering <lennart@poettering.net>	2014-03-18 17:58:19 +0100
committer	Lennart Poettering <lennart@poettering.net>	2014-03-18 17:58:19 +0100
commit	f1660f96f59dad860d39f148c3a747050d112763 (patch)
tree	6a56a7202c056b889acdd51fe3eccc0d155dceae /src/core/unit.c
parent	45aee6d67ad62a651720f22e67273a692014f948 (diff)