summaryrefslogtreecommitdiff
path: root/src/core
diff options
context:
space:
mode:
authorLennart Poettering <lennart@poettering.net>2016-06-23 01:33:07 +0200
committerLennart Poettering <lennart@poettering.net>2016-06-23 01:33:07 +0200
commit686d9ba614adfef22b1eedc6d1565e18e8778829 (patch)
treeabbadf30732d5d8d643c944022e9b1b9fc3e2cad /src/core
parent03857c43ce099e50fbb78dd4b32eb75759b83ae0 (diff)
execute: set PR_SET_NO_NEW_PRIVS also in case the exec memory protection is used
This was forgotten when MemoryDenyWriteExecute= was added: we should set NNP in all cases when we set seccomp filters.
Diffstat (limited to 'src/core')
-rw-r--r--src/core/execute.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/src/core/execute.c b/src/core/execute.c
index ac87e334a4..135e567222 100644
--- a/src/core/execute.c
+++ b/src/core/execute.c
@@ -2017,7 +2017,7 @@ static int exec_child(
}
if (context->no_new_privileges ||
- (!have_effective_cap(CAP_SYS_ADMIN) && (use_address_families || use_syscall_filter)))
+ (!have_effective_cap(CAP_SYS_ADMIN) && (use_address_families || context->memory_deny_write_execute || use_syscall_filter)))
if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0) {
*exit_status = EXIT_NO_NEW_PRIVILEGES;
return -errno;