mirror of https://github.com/mkerrisk/man-pages
seccomp.2: Reword discussion of PR_SET_NO_NEW_PRIVS
This commit is contained in:
parent
d06d25cc28
commit
955efdbcc1
|
@ -100,12 +100,17 @@ is allowed by the filter,
|
|||
the filters and constraints on permitted system calls are preserved across an
|
||||
.BR execve (2).
|
||||
|
||||
Prior to using this operation, the process must call
|
||||
.IR "prctl(PR_SET_NO_NEW_PRIVS,\ 1)"
|
||||
or run with
|
||||
In order to use the
|
||||
.BR SECCOMP_SET_MODE_FILTER
|
||||
operation, either the caller must have the
|
||||
.BR CAP_SYS_ADMIN
|
||||
privileges in its namespace.
|
||||
If these are not true, the call will fail and return
|
||||
capability or the call must be preceded by the call:
|
||||
|
||||
prctl(PR_SET_NO_NEW_PRIVS, 1);
|
||||
|
||||
Otherwise, the
|
||||
.BR SECCOMP_SET_MODE_FILTER
|
||||
operation will fail and return
|
||||
.BR EACCES
|
||||
in
|
||||
.IR errno .
|
||||
|
|
Loading…
Reference in New Issue