hollalinux
/
linux-sg2042
mirror of https://github.com/sophgo/linux-riscv.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

samples/seccomp: Enable PR_SET_NO_NEW_PRIVS in dropper 

Either CAP_SYS_ADMIN or PR_SET_NO_NEW_PRIVS is required to enable
seccomp. This allows samples/seccomp/dropper to be run without
CAP_SYS_ADMIN.

Signed-off-by: Ricky Zhou <rickyz@chromium.org>
Signed-off-by: Kees Cook <keescook@chromium.org>
This commit is contained in:
Ricky Zhou 2016-10-13 10:34:08 -07:00 committed by Kees Cook
parent 0af04ba564
commit 1ff120504f
1 changed files with 5 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
samples/seccomp/dropper.c
View File

@ -11,7 +11,6 @@
* When run, returns the specified errno for the specified
* system call number against the given architecture.
*
* Run this one as root as PR_SET_NO_NEW_PRIVS is not called.
*/
#include <errno.h>
@ -42,8 +41,12 @@ static int install_filter(int nr, int arch, int error)
.len = (unsigned short)(sizeof(filter)/sizeof(filter[0])),
.filter = filter,
};
if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
perror("prctl(NO_NEW_PRIVS)");
return 1;
}
if (prctl(PR_SET_SECCOMP, 2, &prog)) {
perror("prctl");
perror("prctl(PR_SET_SECCOMP)");
return 1;
}
return 0;