git.ipfire.org Git - thirdparty/systemd.git/commit

author	Iago López Galeiras <iagol@microsoft.com>
	Tue, 7 Nov 2023 10:06:56 +0000 (11:06 +0100)
committer	Iago López Galeiras <iagol@microsoft.com>
	Tue, 7 Nov 2023 10:31:53 +0000 (11:31 +0100)
commit	24832d10b604848cf46624bb439c7fac27f3ce3f
tree	0e2953b91b50ea4e3ab7b59bface296a9c58044a	tree \| snapshot
parent	b3e199cec87dd8f8238904fdac92c36c1f83eb07	commit \| diff

core: allow using seccomp without no_new_privs when unprivileged

Until now, using any form of seccomp while being unprivileged (User=)
resulted in systemd enabling no_new_privs.

There's no need for doing this because:

* We trust the filters we apply
* If User= is set and a process wants to apply a new seccomp filter, it
will need to set no_new_privs itself

An example of application that might want seccomp + !no_new_privs is a
program that wants to run as an unprivileged user but uses file
capabilities to start a web server on a privileged port while
benefitting from a restrictive seccomp profile.

We now keep the privileges needed to do seccomp before calling
enforce_user() and drop them after the seccomp filters are applied.

If the syscall filter doesn't allow the needed syscalls to drop the
privileges, we keep the previous behavior by enabling no_new_privs.

man/systemd.exec.xml		diff \| blob \| blame \| history
src/basic/capability-util.c		diff \| blob \| blame \| history
src/basic/capability-util.h		diff \| blob \| blame \| history
src/core/exec-invoke.c		diff \| blob \| blame \| history