From b469a82eec8c9a9bd21643262e4d50ebc4a7c464 Mon Sep 17 00:00:00 2001 From: Albert S Date: Mon, 27 Dec 2021 11:50:21 +0100 Subject: [PATCH] pledge: Allow NO_NEW_PRIVS prctls Retreiving it does no harm. It cannot be unset once set, thus no harm in allowing to set it either. --- exile.h | 2 ++ 1 file changed, 2 insertions(+) diff --git a/exile.h b/exile.h index c8da45e..5dff26f 100644 --- a/exile.h +++ b/exile.h @@ -697,6 +697,8 @@ static int get_pledge_argfilter(long syscall, uint64_t pledge_promises, struct s struct sock_filter prctl_default[] ={ BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, args[0]))), + BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, PR_SET_NO_NEW_PRIVS, EXILE_SYSCALL_EXIT_BPF_RETURN, 0), + BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, PR_GET_NO_NEW_PRIVS, EXILE_SYSCALL_EXIT_BPF_RETURN, 0), BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, PR_GET_NAME, EXILE_SYSCALL_EXIT_BPF_RETURN, 0), BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, PR_SET_NAME, EXILE_SYSCALL_EXIT_BPF_RETURN, 0), EXILE_BPF_NOP,