enforce PR_SET_NO_NEW_PRIVS in the logger process

otherwise landlock will refuse to enable itself and the logger process dies.
author: Omar Polo <op@omarpolo.com> 2021-10-02 17:20:10 +0000
committer: Omar Polo <op@omarpolo.com> 2021-10-02 17:20:10 +0000
commit: f7ee799023657126a89134cd64ab6a7638b4d1bf (patch)
tree: cdc7395197103623b7c94df8d5c6cf62e825861a /sandbox.c
parent: 0c66b6ad55416d9fca326c04b038784a9e59a84e (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/sandbox.c b/sandbox.c
index 1d6b186..364f9da 100644
--- a/sandbox.c
+++ b/sandbox.c
@@ -588,6 +588,10 @@ sandbox_logger_process(void)
 	 * sytsem access.
 	 */
 
+	if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == -1)
+		fatal("%s: prctl(PR_SET_NO_NEW_PRIVS): %s",
+		    __func__, strerror(errno));
+
 #if HAVE_LANDLOCK
 	if (logger_landlock() == -1)
 		fatal("%s: logger_landlock: %s",
author	Omar Polo <op@omarpolo.com>	2021-10-02 17:20:10 +0000
committer	Omar Polo <op@omarpolo.com>	2021-10-02 17:20:10 +0000
commit	f7ee799023657126a89134cd64ab6a7638b4d1bf (patch)
tree	cdc7395197103623b7c94df8d5c6cf62e825861a /sandbox.c
parent	0c66b6ad55416d9fca326c04b038784a9e59a84e (diff)