From 8a8bf3c045d50917cea76ae5a6e659fca0c03e03 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Mon, 17 Feb 2014 01:14:14 +0100
Subject: main: don't set no_new_privs when using SystemCallArchitectures=
 system-wide

After all, we want to allow userspace to get new privs...
---
 src/core/main.c | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'src/core')

diff --git a/src/core/main.c b/src/core/main.c
index ed64dd167b..b5bb3f6805 100644
--- a/src/core/main.c
+++ b/src/core/main.c
@@ -1191,6 +1191,12 @@ static int enforce_syscall_archs(Set *archs) {
                 }
         }
 
+        r = seccomp_attr_set(seccomp, SCMP_FLTATR_CTL_NNP, 0);
+        if (r < 0) {
+                log_error("Failed to unset NO_NEW_PRIVS: %s", strerror(-r));
+                goto finish;
+        }
+
         r = seccomp_load(seccomp);
         if (r < 0)
                 log_error("Failed to add install architecture seccomp: %s", strerror(-r));
-- 
cgit v1.2.3-54-g00ecf