summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--samples/seccomp/dropper.c7
1 files changed, 5 insertions, 2 deletions
diff --git a/samples/seccomp/dropper.c b/samples/seccomp/dropper.c
index c69c347c7011..68325ca5e71c 100644
--- a/samples/seccomp/dropper.c
+++ b/samples/seccomp/dropper.c
@@ -11,7 +11,6 @@
* When run, returns the specified errno for the specified
* system call number against the given architecture.
*
- * Run this one as root as PR_SET_NO_NEW_PRIVS is not called.
*/
#include <errno.h>
@@ -42,8 +41,12 @@ static int install_filter(int nr, int arch, int error)
.len = (unsigned short)(sizeof(filter)/sizeof(filter[0])),
.filter = filter,
};
+ if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
+ perror("prctl(NO_NEW_PRIVS)");
+ return 1;
+ }
if (prctl(PR_SET_SECCOMP, 2, &prog)) {
- perror("prctl");
+ perror("prctl(PR_SET_SECCOMP)");
return 1;
}
return 0;