From 178f649ac21f1511db89c1bfcb617678b7bf2e2a Mon Sep 17 00:00:00 2001
From: The Fox in the Shell <KellerFuchs@hashbang.sh>
Date: Thu, 7 Apr 2016 18:22:24 +0200
Subject: sandbox: Add NO_NEW_PRIVS inconditionally

This is just a first try
---
 src/firejail/sandbox.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

(limited to 'src')

diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 5cfee44d8..109395b60 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -747,6 +747,16 @@ int sandbox(void* sandbox_arg) {
 		set_caps();
 	}
 
+	//****************************************
+	// Set NO_NEW_PRIVS if desired
+	//****************************************
+	int no_new_privs = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
+	if(no_new_privs != 0) {
+	  errExit("NO_NEW_PRIVS");
+	} else
+	  printf("No new privileges from this point on\n");
+
+
 	//****************************************
 	// fork the application and monitor it
 	//****************************************
-- 
cgit v1.2.3-70-g09d2