chiark / gitweb /
core: drop CAP_MKNOD when PrivateDevices= is set
[elogind.git] / src / core / unit.c
index 4fb0d9c..20b139d 100644 (file)
@@ -2830,6 +2830,9 @@ int unit_exec_context_patch_defaults(Unit *u, ExecContext *c) {
              !set_isempty(c->address_families)))
                 c->no_new_privileges = true;
 
+        if (c->private_devices)
+                c->capability_bounding_set_drop |= (uint64_t) 1ULL << (uint64_t) CAP_MKNOD;
+
         return 0;
 }