From: Lennart Poettering <lennart@poettering.net>
Date: Mon, 17 Feb 2014 00:14:14 +0000 (+0100)
Subject: main: don't set no_new_privs when using SystemCallArchitectures= system-wide
X-Git-Tag: v209~102
X-Git-Url: https://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=elogind.git;a=commitdiff_plain;h=8a8bf3c045d50917cea76ae5a6e659fca0c03e03

main: don't set no_new_privs when using SystemCallArchitectures= system-wide

After all, we want to allow userspace to get new privs...
---

diff --git a/src/core/main.c b/src/core/main.c
index ed64dd167..b5bb3f680 100644
--- a/src/core/main.c
+++ b/src/core/main.c
@@ -1191,6 +1191,12 @@ static int enforce_syscall_archs(Set *archs) {
                 }
         }
 
+        r = seccomp_attr_set(seccomp, SCMP_FLTATR_CTL_NNP, 0);
+        if (r < 0) {
+                log_error("Failed to unset NO_NEW_PRIVS: %s", strerror(-r));
+                goto finish;
+        }
+
         r = seccomp_load(seccomp);
         if (r < 0)
                 log_error("Failed to add install architecture seccomp: %s", strerror(-r));