diff options
author | Dmitry V. Levin <ldv@strace.io> | 2023-02-23 08:00:00 +0000 |
---|---|---|
committer | Dmitry V. Levin <ldv@strace.io> | 2023-02-23 08:00:00 +0000 |
commit | e88e5e9ae6da68f22d15f9be3193b1412ac9aa02 (patch) | |
tree | b177c0a88ece521f0875241d7f0e73ba523450ad | |
parent | b008856880b77f371d4b6c37a5739ee66afcce3a (diff) | |
download | strace-e88e5e9ae6da68f22d15f9be3193b1412ac9aa02.tar.gz |
filter_seccomp: do not call PR_SET_NO_NEW_PRIVS if privileged enough
If strace process is privileged enough to add SECCOMP_MODE_FILTER
without PR_SET_NO_NEW_PRIVS, there is no need to do the latter.
* src/filter_seccomp.c (init_seccomp_filter): Try to add
SECCOMP_MODE_FILTER first, and if it failed with EACCES, do
PR_SET_NO_NEW_PRIVS and try to add SECCOMP_MODE_FILTER again.
-rw-r--r-- | src/filter_seccomp.c | 16 |
1 files changed, 11 insertions, 5 deletions
diff --git a/src/filter_seccomp.c b/src/filter_seccomp.c index b1fa4eb62..eced2da61 100644 --- a/src/filter_seccomp.c +++ b/src/filter_seccomp.c @@ -679,14 +679,20 @@ dump_seccomp_bpf(void) void init_seccomp_filter(void) { - if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0) - perror_func_msg_and_die("prctl(PR_SET_NO_NEW_PRIVS)"); - if (debug_flag) dump_seccomp_bpf(); - if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &bpf_prog) < 0) - perror_func_msg_and_die("prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER)"); + if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &bpf_prog) == 0) + return; + + if (errno == EACCES) { + if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0) + perror_func_msg_and_die("prctl(PR_SET_NO_NEW_PRIVS)"); + if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &bpf_prog) == 0) + return; + } + + perror_func_msg_and_die("prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER)"); } int |