Merge "Do not set PR_SET_NO_NEW_PRIVS when install seccomp filter"
diff --git a/libc/seccomp/seccomp_policy.cpp b/libc/seccomp/seccomp_policy.cpp
index 99a821f..fde1a9f 100644
--- a/libc/seccomp/seccomp_policy.cpp
+++ b/libc/seccomp/seccomp_policy.cpp
@@ -133,11 +133,7 @@
         static_cast<unsigned short>(f.size()),
         const_cast<struct sock_filter*>(&f[0]),
     };
-
-    if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == -1) {
-        PLOG(FATAL) << "Could not set to no new privs";
-        return false;
-    }
+    // This assumes either the current process has CAP_SYS_ADMIN, or PR_SET_NO_NEW_PRIVS bit is set.
     if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) < 0) {
         PLOG(FATAL) << "Could not set seccomp filter of size " << f.size();
         return false;