From: Lennart Poettering <lennart@poettering.net>
Date: Tue, 18 Mar 2014 16:58:19 +0000 (+0100)
Subject: core: drop CAP_MKNOD when PrivateDevices= is set
X-Git-Tag: v212~111
X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=elogind.git;a=commitdiff_plain;h=f1660f96f59dad860d39f148c3a747050d112763;hp=45aee6d67ad62a651720f22e67273a692014f948

core: drop CAP_MKNOD when PrivateDevices= is set
---

diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index f1bcf9b7b..90d36f9b5 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -908,8 +908,11 @@
                                 <filename>/dev/sda</filename>. This is
                                 useful to securely turn off physical
                                 device access by the executed
-                                process. Defaults to
-                                false.</para></listitem>
+                                process. Defaults to false. Note that
+                                enabling this option implies that
+                                <constant>CAP_MKNOD</constant> is
+                                removed from the capability bounding
+                                set for the unit.</para></listitem>
                         </varlistentry>
 
                         <varlistentry>
diff --git a/src/core/unit.c b/src/core/unit.c
index 4fb0d9caa..20b139d31 100644
--- a/src/core/unit.c
+++ b/src/core/unit.c
@@ -2830,6 +2830,9 @@ int unit_exec_context_patch_defaults(Unit *u, ExecContext *c) {
              !set_isempty(c->address_families)))
                 c->no_new_privileges = true;
 
+        if (c->private_devices)
+                c->capability_bounding_set_drop |= (uint64_t) 1ULL << (uint64_t) CAP_MKNOD;
+
         return 0;
 }