core: set NoNewPrivileges for seccomp if we don't have CAP_SYS_ADMIN - ~lukeshu/systemd - Unnamed repository; edit this file 'description' to name the repository.

diff options

author	Ronny Chevalier <chevalier.ronny@gmail.com>	2016-01-30 17:26:39 +0100
committer	Ronny Chevalier <chevalier.ronny@gmail.com>	2016-02-28 14:44:26 +0100
commit	19c0b0b9a5039b842cf9e6c3e7ece75fb8725602 (patch)
tree	0414f22ec6d435c0d23457280b067e4b897d8186 /man/telinit.xml
parent	06fb28b16eb4b6170c2e2c0cf1f673730309509b (diff)

core: set NoNewPrivileges for seccomp if we don't have CAP_SYS_ADMIN

The manpage of seccomp specify that using seccomp with SECCOMP_SET_MODE_FILTER will return EACCES if the caller do not have CAP_SYS_ADMIN set, or if the no_new_privileges bit is not set. Hence, without NoNewPrivilege set, it is impossible to use a SystemCall* directive with a User directive set in system mode. Now, NoNewPrivileges is set if we are in user mode, or if we are in system mode and we don't have CAP_SYS_ADMIN, and SystemCall* directives are used.

Diffstat (limited to 'man/telinit.xml')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: