X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?a=blobdiff_plain;f=src%2Fcore%2Fload-fragment.c;h=18dab02cd771058d0be83708f40fdc829ad74a31;hb=760b9d7cbaa72cc7446ad915f84d4939c11a360c;hp=5628d8c910df94530471c462a33568feb08d5144;hpb=b5d742138f71e87312541a89aac5657015f50f48;p=elogind.git

diff --git a/src/core/load-fragment.c b/src/core/load-fragment.c
index 5628d8c91..18dab02cd 100644
--- a/src/core/load-fragment.c
+++ b/src/core/load-fragment.c
@@ -2122,7 +2122,10 @@ int config_parse_syscall_filter(
                         set_remove(c->syscall_filter, INT_TO_PTR(id + 1));
         }
 
-        c->no_new_privileges = true;
+        /* Turn on NNP, but only if it wasn't configured explicitly
+         * before, and only if we are in user mode. */
+        if (!c->no_new_privileges_set && u->manager->running_as == SYSTEMD_USER)
+                c->no_new_privileges = true;
 
         return 0;
 }
@@ -2902,6 +2905,38 @@ int config_parse_namespace_path_strv(
         return 0;
 }
 
+int config_parse_no_new_priviliges(
+                const char* unit,
+                const char *filename,
+                unsigned line,
+                const char *section,
+                unsigned section_line,
+                const char *lvalue,
+                int ltype,
+                const char *rvalue,
+                void *data,
+                void *userdata) {
+
+        ExecContext *c = data;
+        int k;
+
+        assert(filename);
+        assert(lvalue);
+        assert(rvalue);
+        assert(data);
+
+        k = parse_boolean(rvalue);
+        if (k < 0) {
+                log_syntax(unit, LOG_ERR, filename, line, -k, "Failed to parse boolean value, ignoring: %s", rvalue);
+                return 0;
+        }
+
+        c->no_new_privileges = !!k;
+        c->no_new_privileges_set = true;
+
+        return 0;
+}
+
 #define FOLLOW_MAX 8
 
 static int open_follow(char **filename, FILE **_f, Set *names, char **_final) {