If this feature is primarily for testing purposes, > wouldn't using setpriv from util-linux achieve the same > without adding code? > > setpriv --no-new-privs \ > runcon -t svirt_lxc_net_t /bin/sh >
Nice! I did not know about this one! Do you think it would be beneficial to mention that in the info documentation? Patch for the info documentation attached. best regards, Sebastian.
From aa522282c81a07391ef9d83aa3ae1868338fca5a Mon Sep 17 00:00:00 2001 From: Sebastian Kisela <[email protected]> Date: Mon, 29 May 2017 14:17:07 +0200 Subject: [PATCH] runcon: mention no-new-privs feature possible through setpriv * runcon modify usage info documentation * References https://bugzilla.redhat.com/1360903 --- doc/coreutils.texi | 4 ++++ gnulib | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/doc/coreutils.texi b/doc/coreutils.texi index 1834e92..3b406ae 100644 --- a/doc/coreutils.texi +++ b/doc/coreutils.texi @@ -16586,6 +16586,10 @@ security context. The program accepts the following options. Also see @ref{Common options}. +Use 'setpriv --no-new-privs runcon ...' to set NO_NEW_PRIVS bit, to disallow usage of context with more privileges than the process has normally. + +The setpriv command is part of the util-linux package and is available from Linux Kernel Archive (ftp://ftp.kernel.org/pub/linux/utils/util-linux/⟩ + @table @samp @item -c diff --git a/gnulib b/gnulib index efb8421..8edebfe 160000 --- a/gnulib +++ b/gnulib @@ -1 +1 @@ -Subproject commit efb84214ac14749188ab8294a52b4e91475c13b6 +Subproject commit 8edebfe6f97d0e378d042accb2475a32a53f100f -- 2.9.4
