execute: set PR_SET_NO_NEW_PRIVS also in case the exec memory protection is used

This was forgotten when MemoryDenyWriteExecute= was added: we should set NNP in
all cases when we set seccomp filters.

diff --git a/src/core/execute.c b/src/core/execute.c
index ac87e334a462622a54a7bee7d0577c1c482378fb..135e5672221726ca9f8848398a79dedfbafd06de 100644 (file)
--- a/src/core/execute.c
+++ b/src/core/execute.c
@@ -2017,7 +2017,7 @@ static int exec_child(
                         }
 
                 if (context->no_new_privileges ||
-                    (!have_effective_cap(CAP_SYS_ADMIN) && (use_address_families || use_syscall_filter)))
+                    (!have_effective_cap(CAP_SYS_ADMIN) && (use_address_families || context->memory_deny_write_execute || use_syscall_filter)))
                         if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0) {
                                 *exit_status = EXIT_NO_NEW_PRIVILEGES;
                                 return -errno;