Note that setting this is likely to defeat any selinux protections on the service (if any) -- until selinux adds some magic restrict-only mode and makes it work with no_new_privs, privilege transitions on exec won't happen.
systemd could get fancy and do the selinux transition itself, I suppose.
Take a look at the shiny docs in Documentation/prctl/no_new_privs.txt
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds