From: Mike Yuan <me@yhndnzj.com>
Date: Wed, 21 Jan 2026 19:26:31 +0000 (+0100)
Subject: units/systemd-portabled: enable NoNewPrivileges=
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e9a1271a0c99f0fa5a16786c85b44b2a06150ae0;p=thirdparty%2Fsystemd.git

units/systemd-portabled: enable NoNewPrivileges=

As with all other daemons we ship.
---

diff --git a/units/systemd-portabled.service.in b/units/systemd-portabled.service.in
index cad2830b64b..d22f2342710 100644
--- a/units/systemd-portabled.service.in
+++ b/units/systemd-portabled.service.in
@@ -20,6 +20,7 @@ ExecStart={{LIBEXECDIR}}/systemd-portabled
 BusName=org.freedesktop.portable1
 CapabilityBoundingSet=CAP_KILL CAP_SYS_PTRACE CAP_SYS_ADMIN CAP_SETGID CAP_SYS_CHROOT CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE CAP_CHOWN CAP_FOWNER CAP_FSETID CAP_MKNOD
 MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
 ProtectHostname=yes
 ProtectKernelLogs=yes
 RestrictRealtime=yes
diff --git a/units/user/systemd-portabled.service.in b/units/user/systemd-portabled.service.in
index 61aa85ef895..b0a64f20ffb 100644
--- a/units/user/systemd-portabled.service.in
+++ b/units/user/systemd-portabled.service.in
@@ -16,6 +16,7 @@ Documentation=man:org.freedesktop.portable1(5)
 ExecStart={{LIBEXECDIR}}/systemd-portabled --user
 BusName=org.freedesktop.portable1
 MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
 RestrictRealtime=yes
 RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
 SystemCallFilter=@system-service @mount