picnoir/Systemd
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

core: improve the logic that implies no new privileges

Browse source 
The no_new_privileged_set variable is not used any more since commit
9b232d3241 that fixed another thing. So remove it. Also no
need to check if we are under user manager, remove that part too.
This commit is contained in:
Djalal Harouni 2016-11-15 10:15:27 +01:00
parent 46b6025a88
commit c92e8afebd
4 changed files with 2 additions and 11 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
src/core/execute.c
View file

@ -2201,7 +2201,8 @@ static bool context_has_no_new_privileges(const ExecContext *c) {
if (have_effective_cap(CAP_SYS_ADMIN)) /* if we are privileged, we don't need NNP */
return false;
return context_has_address_families(c) || /* we need NNP if we have any form of seccomp and are unprivileged */
/* We need NNP if we have any form of seccomp and are unprivileged */
return context_has_address_families(c) ||
c->memory_deny_write_execute ||
c->restrict_realtime ||
exec_context_restrict_namespaces_set(c) ||

1
src/core/execute.h
View file

@ -216,7 +216,6 @@ struct ExecContext {
bool nice_set:1;
bool ioprio_set:1;
bool cpu_sched_set:1;
bool no_new_privileges_set:1;
};
static inline bool exec_context_restrict_namespaces_set(const ExecContext *c) {

1
src/core/load-fragment.c
View file

@ -3896,7 +3896,6 @@ int config_parse_no_new_privileges(
}
c->no_new_privileges = k;
c->no_new_privileges_set = true;
return 0;
}

8
src/core/unit.c
View file

@ -3429,14 +3429,6 @@ int unit_patch_contexts(Unit *u) {
ec->working_directory_missing_ok = true;
}
if (MANAGER_IS_USER(u->manager) &&
(ec->syscall_whitelist ||
!set_isempty(ec->syscall_filter) ||
!set_isempty(ec->syscall_archs) ||
ec->address_families_whitelist ||
!set_isempty(ec->address_families)))
ec->no_new_privileges = true;
if (ec->private_devices)
ec->capability_bounding_set &= ~((UINT64_C(1) << CAP_MKNOD) | (UINT64_C(1) << CAP_SYS_RAWIO));