From 45fead18c377abcf5138f26b4908389f34d2ba60 Mon Sep 17 00:00:00 2001
From: Ophestra Umiker <cat@ophivana.moe>
Date: Sat, 9 Nov 2024 11:50:56 +0900
Subject: [PATCH] cmd/fshim: set no_new_privs flag

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
---
 cmd/fsu/main.go | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/cmd/fsu/main.go b/cmd/fsu/main.go
index 76343e2..0ba5a13 100644
--- a/cmd/fsu/main.go
+++ b/cmd/fsu/main.go
@@ -15,6 +15,8 @@ const (
 	fsuConfFile = "/etc/fsurc"
 	envShim     = "FORTIFY_SHIM"
 	envAID      = "FORTIFY_APP_ID"
+
+	PR_SET_NO_NEW_PRIVS = 0x26
 )
 
 var Fmain = compPoison
@@ -86,6 +88,9 @@ func main() {
 	if err := syscall.Setresuid(uid, uid, uid); err != nil {
 		log.Fatalf("cannot set uid: %v", err)
 	}
+	if _, _, errno := syscall.AllThreadsSyscall(syscall.SYS_PRCTL, PR_SET_NO_NEW_PRIVS, 1, 0); errno != 0 {
+		log.Fatalf("cannot set no_new_privs flag: %s", errno.Error())
+	}
 	if err := syscall.Exec(fmain, []string{"fortify", "shim"}, []string{envShim + "=" + shimSetupPath}); err != nil {
 		log.Fatalf("cannot start shim: %v", err)
 	}