From f1660f96f59dad860d39f148c3a747050d112763 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Tue, 18 Mar 2014 17:58:19 +0100
Subject: core: drop CAP_MKNOD when PrivateDevices= is set

---
 src/core/unit.c | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'src/core/unit.c')

diff --git a/src/core/unit.c b/src/core/unit.c
index 4fb0d9caaa..20b139d31b 100644
--- a/src/core/unit.c
+++ b/src/core/unit.c
@@ -2830,6 +2830,9 @@ int unit_exec_context_patch_defaults(Unit *u, ExecContext *c) {
              !set_isempty(c->address_families)))
                 c->no_new_privileges = true;
 
+        if (c->private_devices)
+                c->capability_bounding_set_drop |= (uint64_t) 1ULL << (uint64_t) CAP_MKNOD;
+
         return 0;
 }
 
-- 
cgit v1.2.3-54-g00ecf