core: add 'DefaultRestrictSUIDSGID' config option

author Grimmauld <Grimmauld@grimmauld.de>

Tue, 8 Jul 2025 19:21:25 +0000 (21:21 +0200)

committer Grimmauld <Grimmauld@grimmauld.de>

Wed, 9 Jul 2025 09:08:34 +0000 (11:08 +0200)
author Grimmauld <Grimmauld@grimmauld.de>
Tue, 8 Jul 2025 19:21:25 +0000 (21:21 +0200)
committer Grimmauld <Grimmauld@grimmauld.de>
Wed, 9 Jul 2025 09:08:34 +0000 (11:08 +0200)
diff --git a/src/core/main.c b/src/core/main.c

index c32a971455c7ee2397cf2479b5ec41f1a303d0dc..953681c99d3a4bccf3dbc0cf9ed9f8d415c48da7 100644 (file)
--- a/src/core/main.c
+++ b/src/core/main.c
@@ -773,6 +773,7 @@ static int parse_config_file(void) {
                  { "Manager", "DefaultStartLimitInterval",    config_parse_sec,                   0,                        &arg_defaults.start_limit.interval}, /* obsolete alias */
                  { "Manager", "DefaultStartLimitIntervalSec", config_parse_sec,                   0,                        &arg_defaults.start_limit.interval},
                  { "Manager", "DefaultStartLimitBurst",       config_parse_unsigned,              0,                        &arg_defaults.start_limit.burst   },
+                { "Manager", "DefaultRestrictSUIDSGID",      config_parse_bool,                  0,                        &arg_defaults.restrict_suid_sgid  },
                  { "Manager", "DefaultEnvironment",           config_parse_environ,               arg_runtime_scope,        &arg_default_environment          },
                  { "Manager", "ManagerEnvironment",           config_parse_environ,               arg_runtime_scope,        &arg_manager_environment          },
                  { "Manager", "DefaultLimitCPU",              config_parse_rlimit,                RLIMIT_CPU,               arg_defaults.rlimit               },
diff --git a/src/core/manager.c b/src/core/manager.c

index aa43c9d79b19f07511d91fc0bc05244f4ab42eb0..d85896577f3e6b19452cae7e89346c1c99df6dd3 100644 (file)
--- a/src/core/manager.c
+++ b/src/core/manager.c
@@ -4259,6 +4259,8 @@ int manager_set_unit_defaults(Manager *m, const UnitDefaults *defaults) {
          m->defaults.timeout_abort_set = defaults->timeout_abort_set;
          m->defaults.device_timeout_usec = defaults->device_timeout_usec;
  
+        m->defaults.restrict_suid_sgid = defaults->restrict_suid_sgid;
+
          m->defaults.start_limit = defaults->start_limit;
  
          m->defaults.memory_accounting = defaults->memory_accounting;
diff --git a/src/core/manager.h b/src/core/manager.h

index c267ebe7eee9aadf60a561c3679dd2639ee7ec3b..a7009a49d791b16b65ce2df3bbfcb01273c83909 100644 (file)
--- a/src/core/manager.h
+++ b/src/core/manager.h
@@ -141,6 +141,8 @@ typedef struct UnitDefaults {
          CGroupTasksMax tasks_max;
          usec_t timer_accuracy_usec;
  
+        bool restrict_suid_sgid;
+
          OOMPolicy oom_policy;
          int oom_score_adjust;
          bool oom_score_adjust_set;
diff --git a/src/core/system.conf.in b/src/core/system.conf.in

index 051a18bd21c41b44851eae9f2b1aa9c4d496b6cf..54196e84894df7356cabafa56bcc15003697e619 100644 (file)
--- a/src/core/system.conf.in
+++ b/src/core/system.conf.in
@@ -79,5 +79,6 @@
  #DefaultMemoryPressureWatch=auto
  #DefaultOOMPolicy=stop
  #DefaultSmackProcessLabel=
+#DefaultRestrictSUIDSGID=
  #ReloadLimitIntervalSec=
  #ReloadLimitBurst=
diff --git a/src/core/unit.c b/src/core/unit.c

index e79651574760f70b76ecdde9912f69c4e9ec26e8..9051fc69236e199202fde461fc9e9f7b9ed3af7a 100644 (file)
--- a/src/core/unit.c
+++ b/src/core/unit.c
@@ -191,6 +191,8 @@ static void unit_init(Unit *u) {
                          ec->oom_score_adjust_set = true;
                  }
  
+                ec->restrict_suid_sgid = u->manager->defaults.restrict_suid_sgid;
+
                  if (MANAGER_IS_SYSTEM(u->manager))
                          ec->keyring_mode = EXEC_KEYRING_SHARED;
                  else {
diff --git a/src/core/user.conf.in b/src/core/user.conf.in

index 14f0eae7f8a7308162cf04de1a7e098cf3149544..9c37f4b54e9bd535707092a0bb4eb23f97720c30 100644 (file)
--- a/src/core/user.conf.in
+++ b/src/core/user.conf.in
@@ -55,5 +55,6 @@
  #DefaultMemoryPressureThresholdSec=200ms
  #DefaultMemoryPressureWatch=auto
  #DefaultSmackProcessLabel=
+#DefaultRestrictSUIDSGID=
  #ReloadLimitIntervalSec=
  #ReloadLimitBurst
author	Grimmauld <Grimmauld@grimmauld.de>
	Tue, 8 Jul 2025 19:21:25 +0000 (21:21 +0200)
committer	Grimmauld <Grimmauld@grimmauld.de>
	Wed, 9 Jul 2025 09:08:34 +0000 (11:08 +0200)
src/core/main.c		patch \| blob \| blame \| history
src/core/manager.c		patch \| blob \| blame \| history
src/core/manager.h		patch \| blob \| blame \| history
src/core/system.conf.in		patch \| blob \| blame \| history
src/core/unit.c		patch \| blob \| blame \| history
src/core/user.conf.in		patch \| blob \| blame \| history