samples/seccomp: Enable PR_SET_NO_NEW_PRIVS in dropper

Either CAP_SYS_ADMIN or PR_SET_NO_NEW_PRIVS is required to enable
seccomp. This allows samples/seccomp/dropper to be run without
CAP_SYS_ADMIN.

Signed-off-by: Ricky Zhou <rickyz@chromium.org>
Signed-off-by: Kees Cook <keescook@chromium.org>

1 files changed, 5 insertions, 2 deletions

diff --git a/samples/seccomp/dropper.c b/samples/seccomp/dropper.c
index c69c347c7011..68325ca5e71c 100644
--- a/samples/seccomp/dropper.c
+++ b/samples/seccomp/dropper.c
@@ -11,7 +11,6 @@
  * When run, returns the specified errno for the specified
  * system call number against the given architecture.
  *
- * Run this one as root as PR_SET_NO_NEW_PRIVS is not called.
  */
 
 #include <errno.h>
@@ -42,8 +41,12 @@ static int install_filter(int nr, int arch, int error)
                 .len = (unsigned short)(sizeof(filter)/sizeof(filter[0])),
                 .filter = filter,
         };
+        if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
+                perror("prctl(NO_NEW_PRIVS)");
+                return 1;
+        }
         if (prctl(PR_SET_SECCOMP, 2, &prog)) {
-                perror("prctl");
+                perror("prctl(PR_SET_SECCOMP)");
                 return 1;
         }
         return 0;