filter_seccomp: do not call PR_SET_NO_NEW_PRIVS if privileged enough

If strace process is privileged enough to add SECCOMP_MODE_FILTER
without PR_SET_NO_NEW_PRIVS, there is no need to do the latter.

* src/filter_seccomp.c (init_seccomp_filter): Try to add
SECCOMP_MODE_FILTER first, and if it failed with EACCES, do
PR_SET_NO_NEW_PRIVS and try to add SECCOMP_MODE_FILTER again.

1 files changed, 11 insertions, 5 deletions

diff --git a/src/filter_seccomp.c b/src/filter_seccomp.c
index b1fa4eb62..eced2da61 100644
--- a/src/filter_seccomp.c
+++ b/src/filter_seccomp.c
@@ -679,14 +679,20 @@ dump_seccomp_bpf(void)
 void
 init_seccomp_filter(void)
 {
-	if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0)
-		perror_func_msg_and_die("prctl(PR_SET_NO_NEW_PRIVS)");
-
 	if (debug_flag)
 		dump_seccomp_bpf();
 
-	if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &bpf_prog) < 0)
-		perror_func_msg_and_die("prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER)");
+	if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &bpf_prog) == 0)
+		return;
+
+	if (errno == EACCES) {
+		if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0)
+			perror_func_msg_and_die("prctl(PR_SET_NO_NEW_PRIVS)");
+		if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &bpf_prog) == 0)
+			return;
+	}
+
+	perror_func_msg_and_die("prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER)");
 }
 
 int