Constant PR_SET_NO_NEW_PRIVS
pub const PR_SET_NO_NEW_PRIVS: i32 = 38;Available on crate feature
dep_nc only.Expand description
If no_new_privs is set, then operations that grant new privileges (i.e.
execve) will either fail or not grant them. This affects suid/sgid,
file capabilities, and LSMs.
Operations that merely manipulate or drop existing privileges (setresuid,
capset, etc.) will still work. Drop those privileges if you want them gone.
Changing LSM security domain is considered a new privilege. So, for example,
asking selinux for a specific new context (e.g. with runcon) will result
in execve returning -EPERM.
See Documentation/userspace-api/no_new_privs.rst for more details.