]> git.ipfire.org Git - thirdparty/systemd.git/commitdiff
projects / thirdparty / systemd.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 3809783)
units/systemd-portabled: enable NoNewPrivileges=
authorMike Yuan <me@yhndnzj.com>
Wed, 21 Jan 2026 19:26:31 +0000 (20:26 +0100)
committerLuca Boccassi <luca.boccassi@gmail.com>
Fri, 27 Feb 2026 20:05:57 +0000 (20:05 +0000)
As with all other daemons we ship.

(cherry picked from commit e9a1271a0c99f0fa5a16786c85b44b2a06150ae0)
(cherry picked from commit 09c4e863639647d012ab8a45fa8fa92657a720f9)
(cherry picked from commit e7b200817b8d2e9480ff599a29c6dde9eb1ee74f)

units/systemd-portabled.service.in patch | blob | blame | history

diff --git a/units/systemd-portabled.service.in b/units/systemd-portabled.service.in
index cad2830b64b3960273c35565c676119b512143c8..d22f2342710d5b92132945dcc4ec6b3a2b3f97ac 100644 (file)
--- a/units/systemd-portabled.service.in
+++ b/units/systemd-portabled.service.in
@@ -20,6 +20,7 @@ ExecStart={{LIBEXECDIR}}/systemd-portabled
 BusName=org.freedesktop.portable1
 CapabilityBoundingSet=CAP_KILL CAP_SYS_PTRACE CAP_SYS_ADMIN CAP_SETGID CAP_SYS_CHROOT CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE CAP_CHOWN CAP_FOWNER CAP_FSETID CAP_MKNOD
 MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
 ProtectHostname=yes
 ProtectKernelLogs=yes
 RestrictRealtime=yes
Unnamed repository; edit this file 'description' to name the repository.