container: move PR_SET_NO_NEW_PRIVS to parent

This allows some LSM setup in the parent. Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-08-18 11:46:02 +09:00
parent 22d577ab49
commit 69a4ab8105
3 changed files with 15 additions and 4 deletions
--- a/container/syscall.go
+++ b/container/syscall.go
@@ -18,6 +18,14 @@ func SetDumpable(dumpable uintptr) error {
 	return nil
 }

+func SetNoNewPrivs() error {
+	_, _, errno := syscall.Syscall(syscall.SYS_PRCTL, PR_SET_NO_NEW_PRIVS, 1, 0)
+	if errno == 0 {
+		return nil
+	}
+	return errno
+}
+
 // IgnoringEINTR makes a function call and repeats it if it returns an
 // EINTR error. This appears to be required even though we install all
 // signal handlers with SA_RESTART: see #22838, #38033, #38836, #40846.