main: don't set no_new_privs when using SystemCallArchitectures= system-wide

After all, we want to allow userspace to get new privs...
2025-03-19 22:50:17 +03:00 · 2014-02-17 01:14:14 +01:00 · 2014-02-17 01:14:14 +01:00 · 8a8bf3c045
commit 8a8bf3c045
parent 37c47eb709
1 changed files with 6 additions and 0 deletions
--- a/src/core/main.c
+++ b/src/core/main.c
@ -1191,6 +1191,12 @@ static int enforce_syscall_archs(Set *archs) {
                }
        }

+        r = seccomp_attr_set(seccomp, SCMP_FLTATR_CTL_NNP, 0);
+        if (r < 0) {
+                log_error("Failed to unset NO_NEW_PRIVS: %s", strerror(-r));
+                goto finish;
+        }
+
        r = seccomp_load(seccomp);
        if (r < 0)
                log_error("Failed to add install architecture seccomp: %s", strerror(-r));