From: Lennart Poettering <lennart@poettering.net>
Date: Wed, 22 Jun 2016 23:33:07 +0000 (+0200)
Subject: execute: set PR_SET_NO_NEW_PRIVS also in case the exec memory protection is used
X-Git-Tag: v231~128^2~2
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=686d9ba614adfef22b1eedc6d1565e18e8778829;p=thirdparty%2Fsystemd.git

execute: set PR_SET_NO_NEW_PRIVS also in case the exec memory protection is used

This was forgotten when MemoryDenyWriteExecute= was added: we should set NNP in
all cases when we set seccomp filters.
---

diff --git a/src/core/execute.c b/src/core/execute.c
index ac87e334a46..135e5672221 100644
--- a/src/core/execute.c
+++ b/src/core/execute.c
@@ -2017,7 +2017,7 @@ static int exec_child(
                         }
 
                 if (context->no_new_privileges ||
-                    (!have_effective_cap(CAP_SYS_ADMIN) && (use_address_families || use_syscall_filter)))
+                    (!have_effective_cap(CAP_SYS_ADMIN) && (use_address_families || context->memory_deny_write_execute || use_syscall_filter)))
                         if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0) {
                                 *exit_status = EXIT_NO_NEW_PRIVILEGES;
                                 return -errno;