container: move PR_SET_NO_NEW_PRIVS to parent

This allows some LSM setup in the parent.

Signed-off-by: Ophestra <cat@gensokyo.uk>

container/container.go

@@ -179,6 +179,12 @@ func (p *Container) Start() error {
 		p.wait = make(chan struct{})
 
 		done <- func() error { // setup depending on per-thread state must happen here
+			// PR_SET_NO_NEW_PRIVS: depends on per-thread state but acts on all processes created from that thread
+			if err := SetNoNewPrivs(); err != nil {
+				return wrapErrSuffix(err,
+					"prctl(PR_SET_NO_NEW_PRIVS):")
+			}
+
 			msg.Verbose("starting container init")
 			if err := p.cmd.Start(); err != nil {
 				return msg.WrapErr(err, err.Error())

container/init.go

@@ -218,10 +218,6 @@ func Init(prepare func(prefix string), setVerbose func(verbose bool)) {
 		}
 	}
 
-	if _, _, errno := Syscall(SYS_PRCTL, PR_SET_NO_NEW_PRIVS, 1, 0); errno != 0 {
-		log.Fatalf("prctl(PR_SET_NO_NEW_PRIVS): %v", errno)
-	}
-
 	if _, _, errno := Syscall(SYS_PRCTL, PR_CAP_AMBIENT, PR_CAP_AMBIENT_CLEAR_ALL, 0); errno != 0 {
 		log.Fatalf("cannot clear the ambient capability set: %v", errno)
 	}
@@ -256,6 +252,7 @@ func Init(prepare func(prefix string), setVerbose func(verbose bool)) {
 			rules = seccomp.Preset(params.SeccompPresets, params.SeccompFlags)
 		}
 		if err := seccomp.Load(rules, params.SeccompFlags); err != nil {
+			// this also indirectly asserts PR_SET_NO_NEW_PRIVS
 			log.Fatalf("cannot load syscall filter: %v", err)
 		}
 		msg.Verbosef("%d filter rules loaded", len(rules))

container/syscall.go

@@ -18,6 +18,14 @@ func SetDumpable(dumpable uintptr) error {
 	return nil
 }
 
+func SetNoNewPrivs() error {
+	_, _, errno := syscall.Syscall(syscall.SYS_PRCTL, PR_SET_NO_NEW_PRIVS, 1, 0)
+	if errno == 0 {
+		return nil
+	}
+	return errno
+}
+
 // IgnoringEINTR makes a function call and repeats it if it returns an
 // EINTR error. This appears to be required even though we install all
 // signal handlers with SA_RESTART: see #22838, #38033, #38836, #40846.