maemachinebroke/hakurei
1
0
Fork 0
forked from security/hakurei
Code Pull Requests Activity

container: move PR_SET_NO_NEW_PRIVS to parent

Browse Source 
This allows some LSM setup in the parent.

Signed-off-by: Ophestra <cat@gensokyo.uk>
This commit is contained in:
Ophestra
2025-08-18 11:46:02 +09:00
parent 22d577ab49
commit 69a4ab8105
3 changed files with 15 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
container/container.go
View File

@@ -179,6 +179,12 @@ func (p *Container) Start() error {
p.wait = make(chan struct{})
done <- func() error { // setup depending on per-thread state must happen here
// PR_SET_NO_NEW_PRIVS: depends on per-thread state but acts on all processes created from that thread
if err := SetNoNewPrivs(); err != nil {
return wrapErrSuffix(err,
"prctl(PR_SET_NO_NEW_PRIVS):")
}
msg.Verbose("starting container init")
if err := p.cmd.Start(); err != nil {
return msg.WrapErr(err, err.Error())