<filename>/dev/sda</filename>. This is
useful to securely turn off physical
device access by the executed
- process. Defaults to
- false.</para></listitem>
+ process. Defaults to false. Note that
+ enabling this option implies that
+ <constant>CAP_MKNOD</constant> is
+ removed from the capability bounding
+ set for the unit.</para></listitem>
</varlistentry>
<varlistentry>
!set_isempty(c->address_families)))
c->no_new_privileges = true;
+ if (c->private_devices)
+ c->capability_bounding_set_drop |= (uint64_t) 1ULL << (uint64_t) CAP_MKNOD;
+
return 0;
}