core: set NoNewPrivileges for seccomp if we don't have CAP_SYS_ADMIN

The manpage of seccomp specify that using seccomp with SECCOMP_SET_MODE_FILTER will return EACCES if the caller do not have CAP_SYS_ADMIN set, or if the no_new_privileges bit is not set. Hence, without NoNewPrivilege set, it is impossible to use a SystemCall* directive with a User directive set in system mode. Now, NoNewPrivileges is set if we are in user mode, or if we are in system mode and we don't have CAP_SYS_ADMIN, and SystemCall* directives are used.
author: Ronny Chevalier <chevalier.ronny@gmail.com> 2016-01-30 17:26:39 +0100
committer: Ronny Chevalier <chevalier.ronny@gmail.com> 2016-02-28 14:44:26 +0100
commit: 19c0b0b9a5039b842cf9e6c3e7ece75fb8725602 (patch)
tree: 0414f22ec6d435c0d23457280b067e4b897d8186 /Makefile.am
parent: 06fb28b16eb4b6170c2e2c0cf1f673730309509b (diff)
1 files changed, 1 insertions, 0 deletions
diff --git a/Makefile.am b/Makefile.am
index 7bd98dddf6..02557ef46a 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -1556,6 +1556,7 @@ EXTRA_DIST += \
 	test/test-execute/exec-systemcallfilter-failing.service \
 	test/test-execute/exec-systemcallfilter-not-failing2.service \
 	test/test-execute/exec-systemcallfilter-not-failing.service \
+	test/test-execute/exec-systemcallfilter-system-user.service \
 	test/test-execute/exec-user.service \
 	test/test-execute/exec-workingdirectory.service \
 	test/test-execute/exec-umask-0177.service \
author	Ronny Chevalier <chevalier.ronny@gmail.com>	2016-01-30 17:26:39 +0100
committer	Ronny Chevalier <chevalier.ronny@gmail.com>	2016-02-28 14:44:26 +0100
commit	19c0b0b9a5039b842cf9e6c3e7ece75fb8725602 (patch)
tree	0414f22ec6d435c0d23457280b067e4b897d8186 /Makefile.am
parent	06fb28b16eb4b6170c2e2c0cf1f673730309509b (diff)