diff options
| author | Djalal Harouni <tixxdz@opendz.org> | 2016-11-15 10:15:27 +0100 |
|---|---|---|
| committer | Djalal Harouni <tixxdz@opendz.org> | 2016-11-15 15:04:31 +0100 |
| commit | c92e8afebd6126b4d679ee1a2dc2a5b74a8b49c7 (patch) | |
| tree | 9833d3b39161ae70e3629e74e078247864096957 /src/core | |
| parent | 46b6025a8881b50373a3730598c8caa46be537f0 (diff) | |
core: improve the logic that implies no new privileges
The no_new_privileged_set variable is not used any more since commit
9b232d3241fcfbf60af that fixed another thing. So remove it. Also no
need to check if we are under user manager, remove that part too.
Diffstat (limited to 'src/core')
| -rw-r--r-- | src/core/execute.c | 3 | ||||
| -rw-r--r-- | src/core/execute.h | 1 | ||||
| -rw-r--r-- | src/core/load-fragment.c | 1 | ||||
| -rw-r--r-- | src/core/unit.c | 8 |
4 files changed, 2 insertions, 11 deletions
diff --git a/src/core/execute.c b/src/core/execute.c index f666f7c6ce..04c4e511f4 100644 --- a/src/core/execute.c +++ b/src/core/execute.c @@ -2201,7 +2201,8 @@ static bool context_has_no_new_privileges(const ExecContext *c) { if (have_effective_cap(CAP_SYS_ADMIN)) /* if we are privileged, we don't need NNP */ return false; - return context_has_address_families(c) || /* we need NNP if we have any form of seccomp and are unprivileged */ + /* We need NNP if we have any form of seccomp and are unprivileged */ + return context_has_address_families(c) || c->memory_deny_write_execute || c->restrict_realtime || exec_context_restrict_namespaces_set(c) || diff --git a/src/core/execute.h b/src/core/execute.h index 56f880cffe..e52640ee91 100644 --- a/src/core/execute.h +++ b/src/core/execute.h @@ -216,7 +216,6 @@ struct ExecContext { bool nice_set:1; bool ioprio_set:1; bool cpu_sched_set:1; - bool no_new_privileges_set:1; }; static inline bool exec_context_restrict_namespaces_set(const ExecContext *c) { diff --git a/src/core/load-fragment.c b/src/core/load-fragment.c index 52079980d8..970eed27c1 100644 --- a/src/core/load-fragment.c +++ b/src/core/load-fragment.c @@ -3896,7 +3896,6 @@ int config_parse_no_new_privileges( } c->no_new_privileges = k; - c->no_new_privileges_set = true; return 0; } diff --git a/src/core/unit.c b/src/core/unit.c index bba0f5d357..da9bb58a52 100644 --- a/src/core/unit.c +++ b/src/core/unit.c @@ -3429,14 +3429,6 @@ int unit_patch_contexts(Unit *u) { ec->working_directory_missing_ok = true; } - if (MANAGER_IS_USER(u->manager) && - (ec->syscall_whitelist || - !set_isempty(ec->syscall_filter) || - !set_isempty(ec->syscall_archs) || - ec->address_families_whitelist || - !set_isempty(ec->address_families))) - ec->no_new_privileges = true; - if (ec->private_devices) ec->capability_bounding_set &= ~((UINT64_C(1) << CAP_MKNOD) | (UINT64_C(1) << CAP_SYS_RAWIO)); |