security/hakurei
6
3
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases 11 Wiki Activity

container: move PR_SET_NO_NEW_PRIVS to parent
All checks were successful
Test / Create distribution (push) Successful in 28s
Details
Test / Create distribution (pull_request) Successful in 24s
Details
Test / Sandbox (push) Successful in 2m9s
Details
Test / Sandbox (pull_request) Successful in 1m51s
Details
Test / Hpkg (push) Successful in 4m17s
Details
Test / Hpkg (pull_request) Successful in 3m45s
Details
Test / Sandbox (race detector) (push) Successful in 4m25s
Details
Test / Sandbox (race detector) (pull_request) Successful in 4m8s
Details
Test / Hakurei (race detector) (push) Successful in 5m8s
Details
Test / Hakurei (race detector) (pull_request) Successful in 4m50s
Details
Test / Hakurei (push) Successful in 5m12s
Details
Test / Hakurei (pull_request) Successful in 40s
Details
Test / Flake checks (push) Successful in 1m40s
Details
Test / Flake checks (pull_request) Successful in 1m24s
Details

Browse Source 
This allows some LSM setup in the parent.

Signed-off-by: Ophestra <cat@gensokyo.uk>
This commit is contained in:
Ophestra
2025-08-18 11:46:02 +09:00
parent 22d577ab49
commit 69a4ab8105
3 changed files with 15 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
container/syscall.go
View File

@@ -18,6 +18,14 @@ func SetDumpable(dumpable uintptr) error {
return nil
}
func SetNoNewPrivs() error {
_, _, errno := syscall.Syscall(syscall.SYS_PRCTL, PR_SET_NO_NEW_PRIVS, 1, 0)
if errno == 0 {
return nil
}
return errno
}
// IgnoringEINTR makes a function call and repeats it if it returns an
// EINTR error. This appears to be required even though we install all
// signal handlers with SA_RESTART: see #22838, #38033, #38836, #40846.