Do not set PR_SET_NO_NEW_PRIVS when install seccomp filter Setting PR_SET_NO_NEW_PRIVS actually breaks SELinux domain transition (of debuggerd, for example). Do not set the bit when install the filter. Instead, the caller must either have done it, or have CAP_SYS_ADMIN. Test: build Bug: 63944145 Bug: 71859146 Change-Id: I2af334fed61cac03fd0b3b5c8866e2e72b31cf17

commit: dab45ad9360c78569a21e0e596d52586f996a675 [log] [tgz]
author: Victor Hsieh <victorhsieh@google.com> Mon Jan 15 11:04:26 2018 -0800
committer: Victor Hsieh <victorhsieh@google.com> Mon Jan 15 11:37:49 2018 -0800
tree: c75c710a4e7a8a4f9a7ed13ab93b88222813c93f
parent: 25a3087d6dde58e126c5ecb1033319ff333fcc59 [diff] [blame]
diff --git a/libc/seccomp/seccomp_policy.cpp b/libc/seccomp/seccomp_policy.cpp
index 99a821f..fde1a9f 100644
--- a/libc/seccomp/seccomp_policy.cpp
+++ b/libc/seccomp/seccomp_policy.cpp

@@ -133,11 +133,7 @@
         static_cast<unsigned short>(f.size()),
         const_cast<struct sock_filter*>(&f[0]),
     };
-
-    if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == -1) {
-        PLOG(FATAL) << "Could not set to no new privs";
-        return false;
-    }
+    // This assumes either the current process has CAP_SYS_ADMIN, or PR_SET_NO_NEW_PRIVS bit is set.
     if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) < 0) {
         PLOG(FATAL) << "Could not set seccomp filter of size " << f.size();
         return false;
commit	dab45ad9360c78569a21e0e596d52586f996a675	[log] [tgz]
author	Victor Hsieh <victorhsieh@google.com>	Mon Jan 15 11:04:26 2018 -0800
committer	Victor Hsieh <victorhsieh@google.com>	Mon Jan 15 11:37:49 2018 -0800
tree	c75c710a4e7a8a4f9a7ed13ab93b88222813c93f
parent	25a3087d6dde58e126c5ecb1033319ff333fcc59 [diff] [blame]