container: unexport PR_SET_NO_NEW_PRIVS wrapper

This is subtle to use correctly. It also does not make sense as part of the container API. Signed-off-by: Ophestra <cat@gensokyo.uk>
2026-04-10 23:45:51 +09:00
parent 67db3fbb8d
commit ad2c9f36cd
3 changed files with 4 additions and 4 deletions
--- a/container/container.go
+++ b/container/container.go
@@ -307,7 +307,7 @@ func (p *Container) Start() error {
 		done <- func() error {
 			// PR_SET_NO_NEW_PRIVS: thread-directed but acts on all processes
 			// created from the calling thread
-			if err := SetNoNewPrivs(); err != nil {
+			if err := setNoNewPrivs(); err != nil {
 				return &StartError{
 					Fatal: true,
 					Step:  "prctl(PR_SET_NO_NEW_PRIVS)",
--- a/container/dispatcher.go
+++ b/container/dispatcher.go
@@ -148,7 +148,7 @@ func (direct) lockOSThread() { runtime.LockOSThread() }

 func (direct) setPtracer(pid uintptr) error       { return ext.SetPtracer(pid) }
 func (direct) setDumpable(dumpable uintptr) error { return ext.SetDumpable(dumpable) }
-func (direct) setNoNewPrivs() error               { return SetNoNewPrivs() }
+func (direct) setNoNewPrivs() error               { return setNoNewPrivs() }

 func (direct) lastcap(msg message.Msg) uintptr                 { return LastCap(msg) }
 func (direct) capset(hdrp *capHeader, datap *[2]capData) error { return capset(hdrp, datap) }
--- a/container/syscall.go
+++ b/container/syscall.go
@@ -7,8 +7,8 @@ import (
 	"hakurei.app/ext"
 )

-// SetNoNewPrivs sets the calling thread's no_new_privs attribute.
-func SetNoNewPrivs() error {
+// setNoNewPrivs sets the calling thread's no_new_privs attribute.
+func setNoNewPrivs() error {
 	return ext.Prctl(PR_SET_NO_NEW_PRIVS, 1, 0)
 }