Merge "Do not set PR_SET_NO_NEW_PRIVS when install seccomp filter"

commit: 0d63a3c233040af004cc470d5f76547f3adc0148 [log] [tgz]
author: Treehugger Robot <treehugger-gerrit@google.com> Tue Jan 16 17:33:31 2018 +0000
committer: Gerrit Code Review <noreply-gerritcodereview@google.com> Tue Jan 16 17:33:31 2018 +0000
tree: 088c833ab547357256feac5a42c86c0c7a26e074
parent: d16b09a4d2832d0daea6d211a6b5b5312d404425 [diff]
parent: dab45ad9360c78569a21e0e596d52586f996a675 [diff]
diff --git a/libc/seccomp/seccomp_policy.cpp b/libc/seccomp/seccomp_policy.cpp
index 99a821f..fde1a9f 100644
--- a/libc/seccomp/seccomp_policy.cpp
+++ b/libc/seccomp/seccomp_policy.cpp

@@ -133,11 +133,7 @@
         static_cast<unsigned short>(f.size()),
         const_cast<struct sock_filter*>(&f[0]),
     };
-
-    if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == -1) {
-        PLOG(FATAL) << "Could not set to no new privs";
-        return false;
-    }
+    // This assumes either the current process has CAP_SYS_ADMIN, or PR_SET_NO_NEW_PRIVS bit is set.
     if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) < 0) {
         PLOG(FATAL) << "Could not set seccomp filter of size " << f.size();
         return false;
commit	0d63a3c233040af004cc470d5f76547f3adc0148	[log] [tgz]
author	Treehugger Robot <treehugger-gerrit@google.com>	Tue Jan 16 17:33:31 2018 +0000
committer	Gerrit Code Review <noreply-gerritcodereview@google.com>	Tue Jan 16 17:33:31 2018 +0000
tree	088c833ab547357256feac5a42c86c0c7a26e074
parent	d16b09a4d2832d0daea6d211a6b5b5312d404425 [diff]
parent	dab45ad9360c78569a21e0e596d52586f996a675 [diff]