core: drop CAP_MKNOD when PrivateDevices= is set

diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index f1bcf9b7bd645f2931fe96699db04ce833c4d947..90d36f9b576e3dcf5b4020b412f8951936569c75 100644 (file)
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -908,8 +908,11 @@
                                 <filename>/dev/sda</filename>. This is
                                 useful to securely turn off physical
                                 device access by the executed
-                                process. Defaults to
-                                false.</para></listitem>
+                                process. Defaults to false. Note that
+                                enabling this option implies that
+                                <constant>CAP_MKNOD</constant> is
+                                removed from the capability bounding
+                                set for the unit.</para></listitem>
                         </varlistentry>
 
                         <varlistentry>

diff --git a/src/core/unit.c b/src/core/unit.c
index 4fb0d9caaa845fb32e36157f4f94735e61ba89fb..20b139d31be6446aeb2090332a952337d6843988 100644 (file)
--- a/src/core/unit.c
+++ b/src/core/unit.c
@@ -2830,6 +2830,9 @@ int unit_exec_context_patch_defaults(Unit *u, ExecContext *c) {
              !set_isempty(c->address_families)))
                 c->no_new_privileges = true;
 
+        if (c->private_devices)
+                c->capability_bounding_set_drop |= (uint64_t) 1ULL << (uint64_t) CAP_MKNOD;
+
         return 0;
 }