From: Mike Yuan <me@yhndnzj.com>
Date: Wed, 21 Jan 2026 19:26:31 +0000 (+0100)
Subject: units/systemd-portabled: enable NoNewPrivileges=
X-Git-Tag: v257.11~94
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a52749dc7da02e4ed8ee1f761e53ec18f989bfef;p=thirdparty%2Fsystemd.git

units/systemd-portabled: enable NoNewPrivileges=

As with all other daemons we ship.

(cherry picked from commit e9a1271a0c99f0fa5a16786c85b44b2a06150ae0)
(cherry picked from commit 09c4e863639647d012ab8a45fa8fa92657a720f9)
(cherry picked from commit e7b200817b8d2e9480ff599a29c6dde9eb1ee74f)
---

diff --git a/units/systemd-portabled.service.in b/units/systemd-portabled.service.in
index cad2830b64b..d22f2342710 100644
--- a/units/systemd-portabled.service.in
+++ b/units/systemd-portabled.service.in
@@ -20,6 +20,7 @@ ExecStart={{LIBEXECDIR}}/systemd-portabled
 BusName=org.freedesktop.portable1
 CapabilityBoundingSet=CAP_KILL CAP_SYS_PTRACE CAP_SYS_ADMIN CAP_SETGID CAP_SYS_CHROOT CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE CAP_CHOWN CAP_FOWNER CAP_FSETID CAP_MKNOD
 MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
 ProtectHostname=yes
 ProtectKernelLogs=yes
 RestrictRealtime=yes