sandbox: leverage PR_SET_NO_NEW_PRIVS when availablev2.27

This will lock down the ability to use set*id programs (like sudo), and will allow us to utilize seccomp bpf to speed up ptrace. Closes: https://bugs.gentoo.org/442172 Signed-off-by: Mike Frysinger <vapier@gentoo.org>
author: Mike Frysinger <vapier@gentoo.org> 2021-10-21 20:20:58 -0400
committer: Mike Frysinger <vapier@gentoo.org> 2021-10-23 20:54:46 -0400
commit: f0d8469ab6f3a4039038bf86cc829e917b596f40 (patch)
tree: 25fb9ed1dd03c33514259e3631eb4fc031eef4a1 /headers.h
parent: tests: fix lremovexattr typo (diff)
download: sandbox-f0d8469ab6f3a4039038bf86cc829e917b596f40.tar.gz
sandbox-f0d8469ab6f3a4039038bf86cc829e917b596f40.tar.bz2
sandbox-f0d8469ab6f3a4039038bf86cc829e917b596f40.zip
1 files changed, 3 insertions, 0 deletions
diff --git a/headers.h b/headers.h
index 605413e..396002f 100644
--- a/headers.h
+++ b/headers.h
@@ -113,6 +113,9 @@
 #ifdef HAVE_SYS_PARAM_H
 # include <sys/param.h>
 #endif
+#ifdef HAVE_SYS_PRCTL_H
+# include <sys/prctl.h>
+#endif
 #ifdef HAVE_SYS_PTRACE_H
 # include <sys/ptrace.h>
 #endif
author	Mike Frysinger <vapier@gentoo.org>	2021-10-21 20:20:58 -0400
committer	Mike Frysinger <vapier@gentoo.org>	2021-10-23 20:54:46 -0400
commit	f0d8469ab6f3a4039038bf86cc829e917b596f40 (patch)
tree	25fb9ed1dd03c33514259e3631eb4fc031eef4a1 /headers.h
parent	tests: fix lremovexattr typo (diff)
download	sandbox-f0d8469ab6f3a4039038bf86cc829e917b596f40.tar.gz sandbox-f0d8469ab6f3a4039038bf86cc829e917b596f40.tar.bz2 sandbox-f0d8469ab6f3a4039038bf86cc829e917b596f40.zip