User: Password:
|
|
Subscribe / Log in / New account

Systemd gets seccomp filter support

Systemd gets seccomp filter support

Posted Jul 20, 2012 0:36 UTC (Fri) by luto (subscriber, #39314)
In reply to: Systemd gets seccomp filter support by scientes
Parent article: Systemd gets seccomp filter support

You don't need to be root to use PR_SET_NO_NEW_PRIVS.

Note that setting this is likely to defeat any selinux protections on the service (if any) -- until selinux adds some magic restrict-only mode and makes it work with no_new_privs, privilege transitions on exec won't happen.

systemd could get fancy and do the selinux transition itself, I suppose.

Take a look at the shiny docs in Documentation/prctl/no_new_privs.txt


(Log in to post comments)


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds