Avoid calling PR_SET_NO_NEW_PRIVS if privileged enough

When tracing a process that needs to execute setuid(2) or similar operations that require privilege escalation (e.g., sudo), it is necessary to avoid calling prctl(PR_SET_NO_NEW_PRIVS, 1). This call would prevent the tracee process from gaining the required privileges, leading to failures. Related issue #11 #11 (comment)
hmgle · May 31, 2024 · 8481a33 · 8481a33
1 parent ce9a1e4
commit 8481a33
Showing 1 changed file with 21 additions and 7 deletions.
diff --git a/graftcp.c b/graftcp.c
@@ -166,14 +166,28 @@ static void install_seccomp()
 		.len = (unsigned short)ARRAY_SIZE(filter),
 		.filter = filter,
 	};
-	if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
-		perror("prctl(PR_SET_NO_NEW_PRIVS)");
-		exit(errno);
-	}
-	if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog)) {
-		perror("prctl(PR_SET_SECCOMP)");
-		exit(errno);
+	if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) == 0)
+		return;
+	if (errno == EACCES) {
+		/*
+		 * https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt
+		 *  Filters installed for the seccomp mode 2 sandbox persist across
+		 *  execve and can change the behavior of newly-executed programs.
+		 *  Unprivileged users are therefore only allowed to install such filters
+		 *  if no_new_privs is set.
+		 */
+		if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
+			perror("prctl(PR_SET_NO_NEW_PRIVS)");
+			exit(errno);
+		}
+		if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog)) {
+			perror("prctl(PR_SET_SECCOMP)");
+			exit(errno);
+		}
+		return;
 	}
+	perror("prctl(PR_SET_SECCOMP)");
+	exit(errno);
 }
 #endif