diff options
Diffstat (limited to 'libcap/cap_proc.c')
-rw-r--r-- | libcap/cap_proc.c | 14 |
1 files changed, 13 insertions, 1 deletions
diff --git a/libcap/cap_proc.c b/libcap/cap_proc.c index 3929f66..1329f94 100644 --- a/libcap/cap_proc.c +++ b/libcap/cap_proc.c @@ -390,7 +390,7 @@ static int _cap_set_secbits(struct syscaller_s *sc, unsigned bits) } /* - * Set the security mode of the current process. + * Set the secbits of the current process. */ int cap_set_secbits(unsigned bits) { @@ -398,6 +398,14 @@ int cap_set_secbits(unsigned bits) } /* + * Attempt to raise the no new privs prctl value. + */ +static void _cap_set_no_new_privs(struct syscaller_s *sc) +{ + (void) _libcap_wprctl6(sc, PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0, 0); +} + +/* * Some predefined constants */ #define CAP_SECURED_BITS_BASIC \ @@ -448,7 +456,11 @@ static int _cap_set_mode(struct syscaller_s *sc, cap_mode_t flavor) (void) _cap_drop_bound(sc, c); } (void) cap_clear_flag(working, CAP_PERMITTED); + + /* for good measure */ + _cap_set_no_new_privs(sc); break; + default: errno = EINVAL; ret = -1; |