attach_options: add LXC_ATTACH_NO_NEW_PRIVS

Add a flag for PR_SET_NO_NEW_PRIVS. It is off by default.

Signed-off-by: Christian Brauner <christian.brauner@canonical.com>

diff --git a/src/lxc/attach_options.h b/src/lxc/attach_options.h
index 3c54e7ca686814439056d3066ad7394b99efef9b..1df69924c2b6eb8db1caea3276de12153a73b556 100644 (file)
--- a/src/lxc/attach_options.h
+++ b/src/lxc/attach_options.h
@@ -49,6 +49,8 @@ enum {
        /* the following are off by default */
        LXC_ATTACH_REMOUNT_PROC_SYS      = 0x00010000, //!< Remount /proc filesystem
        LXC_ATTACH_LSM_NOW               = 0x00020000, //!< FIXME: unknown
+       /* Set PR_SET_NO_NEW_PRIVS to block execve() gainable privileges. */
+       LXC_ATTACH_NO_NEW_PRIVS          = 0x00040000, //!< PR_SET_NO_NEW_PRIVS
 
        /* we have 16 bits for things that are on by default
         * and 16 bits that are off by default, that should