commit c2c9bccd546e44aac8919352261fd6ac59f3855b
author Jorge Lucangeli Obes <jorgelo@chromium.org> Tue May 01 09:30:24 2012 -0700
committer Gerrit <chrome-bot@google.com> Wed May 02 08:11:17 2012 -0700
tree 93a0a8076cf3f980784ddd90be084a0e212d6754
parent 524c04005b26aa15b004ac55aceefdc654893e66

Add API for PR_SET_NO_NEW_PRIVS and set seccomp filter before dropping root.

BUG=chromium-os:27878
TEST=minijail_unittest, syscall_filter_unittest
TEST=security_Minijail0
TEST=security_Minijail_seccomp

Change-Id: I78495fda8c14ca5b4f398806eb564b0756876735
Reviewed-on: https://gerrit.chromium.org/gerrit/21545
Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Reviewed-by: Will Drewry <wad@chromium.org>
Reviewed-by: Kees Cook <keescook@chromium.org>
Commit-Ready: Jorge Lucangeli Obes <jorgelo@chromium.org>

libminijail.h

diff --git a/libminijail.h b/libminijail.h
index 2f4ed7e..b1c425c 100644
--- a/libminijail.h
+++ b/libminijail.h
@@ -43,13 +43,10 @@
 /* Does not take ownership of |group|. */
 int minijail_change_group(struct minijail *j, const char *group);
 void minijail_use_seccomp(struct minijail *j);
+void minijail_no_new_privs(struct minijail *j);
 void minijail_use_seccomp_filter(struct minijail *j);
 void minijail_force_seccomp_filter(struct minijail *j);
 void minijail_parse_seccomp_filters(struct minijail *j, const char *path);
-int minijail_add_seccomp_filter(struct minijail *j, int nr,
-				const char *filter);
-void minijail_use_seccomp_bpf(struct minijail *j);
-void minijail_parse_seccomp_bpf(struct minijail *j, const char *path);
 void minijail_use_caps(struct minijail *j, uint64_t capmask);
 void minijail_namespace_vfs(struct minijail *j);
 /* Implies namespace_vfs and remount_readonly */