1 files changed, 16 insertions, 9 deletions

diff --git a/src/core/execute.c b/src/core/execute.c
index 6041da46d6..4c2968f971 100644
--- a/src/core/execute.c
+++ b/src/core/execute.c
@@ -1938,10 +1938,13 @@ static int compile_read_write_paths(
         return 0;
 }
 
-static int apply_mount_namespace(Unit *u, const ExecContext *context,
-                                 const ExecParameters *params,
-                                 ExecRuntime *runtime) {
-        int r;
+static int apply_mount_namespace(
+                Unit *u,
+                ExecCommand *command,
+                const ExecContext *context,
+                const ExecParameters *params,
+                ExecRuntime *runtime) {
+
         _cleanup_strv_free_ char **rw = NULL;
         char *tmp = NULL, *var = NULL;
         const char *root_dir = NULL, *root_image = NULL;
@@ -1953,6 +1956,8 @@ static int apply_mount_namespace(Unit *u, const ExecContext *context,
                 .protect_kernel_modules = context->protect_kernel_modules,
                 .mount_apivfs = context->mount_apivfs,
         };
+        bool apply_restrictions;
+        int r;
 
         assert(context);
 
@@ -1986,16 +1991,18 @@ static int apply_mount_namespace(Unit *u, const ExecContext *context,
         if (!context->dynamic_user && root_dir)
                 ns_info.ignore_protect_paths = true;
 
+        apply_restrictions = (params->flags & EXEC_APPLY_PERMISSIONS) && !command->privileged;
+
         r = setup_namespace(root_dir, root_image,
                             &ns_info, rw,
-                            context->read_only_paths,
-                            context->inaccessible_paths,
+                            apply_restrictions ? context->read_only_paths : NULL,
+                            apply_restrictions ? context->inaccessible_paths : NULL,
                             context->bind_mounts,
                             context->n_bind_mounts,
                             tmp,
                             var,
-                            context->protect_home,
-                            context->protect_system,
+                            apply_restrictions ? context->protect_home : PROTECT_HOME_NO,
+                            apply_restrictions ? context->protect_system : PROTECT_SYSTEM_NO,
                             context->mount_flags,
                             DISSECT_IMAGE_DISCARD_ON_LOOP);
 
@@ -2606,7 +2613,7 @@ static int exec_child(
 
         needs_mount_namespace = exec_needs_mount_namespace(context, params, runtime);
         if (needs_mount_namespace) {
-                r = apply_mount_namespace(unit, context, params, runtime);
+                r = apply_mount_namespace(unit, command, context, params, runtime);
                 if (r < 0) {
                         *exit_status = EXIT_NAMESPACE;
                         return r;