diff options
Diffstat (limited to 'src/core/unit.c')
| -rw-r--r-- | src/core/unit.c | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/src/core/unit.c b/src/core/unit.c index 115739f4c6..e1f5e6f7bd 100644 --- a/src/core/unit.c +++ b/src/core/unit.c @@ -4161,14 +4161,20 @@ int unit_patch_contexts(Unit *u) { return -ENOMEM; } - /* If the dynamic user option is on, let's make sure that the unit can't leave its UID/GID - * around in the file system or on IPC objects. Hence enforce a strict sandbox. */ + /* If the dynamic user option is on, let's make sure that the unit can't leave its + * UID/GID around in the file system or on IPC objects. Hence enforce a strict + * sandbox. */ ec->private_tmp = true; ec->remove_ipc = true; ec->protect_system = PROTECT_SYSTEM_STRICT; if (ec->protect_home == PROTECT_HOME_NO) ec->protect_home = PROTECT_HOME_READ_ONLY; + + /* Make sure this service can neither benefit from SUID/SGID binaries nor create + * them. */ + ec->no_new_privileges = true; + ec->restrict_suid_sgid = true; } } |