From 9b232d3241fcfbf60affab69fa51213e36133db5 Mon Sep 17 00:00:00 2001
From: Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
Date: Sat, 22 Oct 2016 23:28:46 -0400
Subject: core: do not set no_new_privileges flag in
 config_parse_syscall_filter

If SyscallFilter was set, and subsequently cleared, the no_new_privileges flag
was not reset properly. We don't need to set this flag here, it will be
set automatically in unit_patch_contexts() if syscall_filter is set.
---
 src/core/load-fragment.c | 7 +------
 1 file changed, 1 insertion(+), 6 deletions(-)

diff --git a/src/core/load-fragment.c b/src/core/load-fragment.c
index a69f60097d..9881baf192 100644
--- a/src/core/load-fragment.c
+++ b/src/core/load-fragment.c
@@ -2736,11 +2736,6 @@ int config_parse_syscall_filter(
         if (!isempty(state))
                 log_syntax(unit, LOG_ERR, filename, line, 0, "Trailing garbage, ignoring.");
 
-        /* Turn on NNP, but only if it wasn't configured explicitly
-         * before, and only if we are in user mode. */
-        if (!c->no_new_privileges_set && MANAGER_IS_USER(u->manager))
-                c->no_new_privileges = true;
-
         return 0;
 }
 
@@ -3829,7 +3824,7 @@ int config_parse_no_new_privileges(
                 return 0;
         }
 
-        c->no_new_privileges = !!k;
+        c->no_new_privileges = k;
         c->no_new_privileges_set = true;
 
         return 0;
-- 
cgit v1.2.3-54-g00ecf


From 74388c2d11acd9b638e33e09c7a99a9bc2c6292b Mon Sep 17 00:00:00 2001
From: Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
Date: Sat, 22 Oct 2016 23:41:45 -0400
Subject: man: document the default value of NoNewPrivileges=

Fixes #4329.
---
 man/systemd.exec.xml | 23 ++++++++++++++++-------
 1 file changed, 16 insertions(+), 7 deletions(-)

diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index dbe4594730..6a26f3c133 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -1234,13 +1234,22 @@
       <varlistentry>
         <term><varname>NoNewPrivileges=</varname></term>
 
-        <listitem><para>Takes a boolean argument. If true, ensures
-        that the service process and all its children can never gain
-        new privileges. This option is more powerful than the
-        respective secure bits flags (see above), as it also prohibits
-        UID changes of any kind. This is the simplest, most effective
-        way to ensure that a process and its children can never
-        elevate privileges again.</para></listitem>
+        <listitem><para>Takes a boolean argument. If true, ensures that the service
+        process and all its children can never gain new privileges. This option is more
+        powerful than the respective secure bits flags (see above), as it also prohibits
+        UID changes of any kind. This is the simplest and most effective way to ensure that
+        a process and its children can never elevate privileges again. Defaults to false,
+        but in the user manager instance certain settings force
+        <varname>NoNewPrivileges=yes</varname>, ignoring the value of this setting.
+        Those is the case when <varname>SystemCallFilter=</varname>,
+        <varname>SystemCallArchitectures=</varname>,
+        <varname>RestrictAddressFamilies=</varname>,
+        <varname>PrivateDevices=</varname>,
+        <varname>ProtectKernelTunables=</varname>,
+        <varname>ProtectKernelModules=</varname>,
+        <varname>MemoryDenyWriteExecute=</varname>, or
+        <varname>RestrictRealtime=</varname> are specified.
+        </para></listitem>
       </varlistentry>
 
       <varlistentry>
-- 
cgit v1.2.3-54-g00ecf