From: Christian Brauner <christian.brauner@canonical.com>
Date: Fri, 2 Sep 2016 16:17:11 +0000 (+0200)
Subject: attach_options: add LXC_ATTACH_NO_NEW_PRIVS
X-Git-Tag: lxc-2.1.0~325^2~5
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1325da7eae056474fcb0e7362927d53e29e4ca2f;p=thirdparty%2Flxc.git

attach_options: add LXC_ATTACH_NO_NEW_PRIVS

Add a flag for PR_SET_NO_NEW_PRIVS. It is off by default.

Signed-off-by: Christian Brauner <christian.brauner@canonical.com>
---

diff --git a/src/lxc/attach_options.h b/src/lxc/attach_options.h
index 3c54e7ca6..1df69924c 100644
--- a/src/lxc/attach_options.h
+++ b/src/lxc/attach_options.h
@@ -49,6 +49,8 @@ enum {
 	/* the following are off by default */
 	LXC_ATTACH_REMOUNT_PROC_SYS      = 0x00010000, //!< Remount /proc filesystem
 	LXC_ATTACH_LSM_NOW               = 0x00020000, //!< FIXME: unknown
+	/* Set PR_SET_NO_NEW_PRIVS to block execve() gainable privileges. */
+	LXC_ATTACH_NO_NEW_PRIVS		 = 0x00040000, //!< PR_SET_NO_NEW_PRIVS
 
 	/* we have 16 bits for things that are on by default
 	 * and 16 bits that are off by default, that should