maemachinebroke/hakurei
1
0
Fork 0
forked from security/hakurei
Code Pull Requests Activity

container: move PR_SET_NO_NEW_PRIVS to parent

Browse Source 
This allows some LSM setup in the parent.

Signed-off-by: Ophestra <cat@gensokyo.uk>
This commit is contained in:
Ophestra
2025-08-18 11:46:02 +09:00
parent 22d577ab49
commit 69a4ab8105
3 changed files with 15 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
container/init.go
View File

@@ -218,10 +218,6 @@ func Init(prepare func(prefix string), setVerbose func(verbose bool)) {
}
}
if _, _, errno := Syscall(SYS_PRCTL, PR_SET_NO_NEW_PRIVS, 1, 0); errno != 0 {
log.Fatalf("prctl(PR_SET_NO_NEW_PRIVS): %v", errno)
}
if _, _, errno := Syscall(SYS_PRCTL, PR_CAP_AMBIENT, PR_CAP_AMBIENT_CLEAR_ALL, 0); errno != 0 {
log.Fatalf("cannot clear the ambient capability set: %v", errno)
}
@@ -256,6 +252,7 @@ func Init(prepare func(prefix string), setVerbose func(verbose bool)) {
rules = seccomp.Preset(params.SeccompPresets, params.SeccompFlags)
}
if err := seccomp.Load(rules, params.SeccompFlags); err != nil {
// this also indirectly asserts PR_SET_NO_NEW_PRIVS
log.Fatalf("cannot load syscall filter: %v", err)
}
msg.Verbosef("%d filter rules loaded", len(rules))