Revert "Revert "Mount all fs nosuid when NoNewPrivileges=yes""

This reverts commit 1753d3021564671fba3d3196a84da657d15fb632.

Let's re-enable that feature now. As reported when the original commit
was merged, this causes some trouble on SELinux enabled systems. So,
in the subsequent commit, the feature will be disabled when SELinux is enabled.
But, anyway, this commit just re-enable that feature unconditionally.

1 files changed, 4 insertions, 3 deletions

diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index 893b56d93a..96d18dd93b 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -675,9 +675,10 @@ CapabilityBoundingSet=~CAP_B CAP_C</programlisting>
         <varname>SystemCallArchitectures=</varname>,
         <varname>SystemCallFilter=</varname>, or
         <varname>SystemCallLog=</varname> are specified. Note that even if this setting is overridden
-        by them, <command>systemctl show</command> shows the original value of this setting. Also see
-        <ulink url="https://www.kernel.org/doc/html/latest/userspace-api/no_new_privs.html">No New
-        Privileges Flag</ulink>.</para></listitem>
+        by them, <command>systemctl show</command> shows the original value of this setting. In case the
+        service will be run in a new mount namespace anyway, all file systems are mounted with MS_NOSUID
+        flag. Also see <ulink url="https://www.kernel.org/doc/html/latest/userspace-api/no_new_privs.html">
+        No New Privileges Flag</ulink>.</para></listitem>
       </varlistentry>
 
       <varlistentry>