libcontainer: use PR_SET_NO_NEW_PRIVS from x/sys/unix

tklauser · tklauser · commit 4019833d4615 · 2017-07-13T15:31:33.000+02:00
Use PR_SET_NO_NEW_PRIVS defined in golang.org/x/sys/unix instead of
manually defining it.

Signed-off-by: Tobias Klauser &lt;tklauser@distanz.ch&gt;
diff --git a/libcontainer/setns_init_linux.go b/libcontainer/setns_init_linux.go
@@ -43,7 +43,7 @@ func (l *linuxSetnsInit) Init() error {
 		}
 	}
 	if l.config.NoNewPrivileges {
-		if err := unix.Prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); err != nil {
+		if err := unix.Prctl(unix.PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); err != nil {
 			return err
 		}
 	}
diff --git a/libcontainer/standard_init_linux.go b/libcontainer/standard_init_linux.go
@@ -42,10 +42,6 @@ func (l *linuxStandardInit) getSessionRingParams() (string, uint32, uint32) {
 	return fmt.Sprintf("_ses.%s", l.config.ContainerId), 0xffffffff, newperms
 }
 
-// PR_SET_NO_NEW_PRIVS isn't exposed in Golang so we define it ourselves copying the value
-// the kernel
-const PR_SET_NO_NEW_PRIVS = 0x26
-
 func (l *linuxStandardInit) Init() error {
 	if !l.config.Config.NoNewKeyring {
 		ringname, keepperms, newperms := l.getSessionRingParams()
@@ -128,7 +124,7 @@ func (l *linuxStandardInit) Init() error {
 		return err
 	}
 	if l.config.NoNewPrivileges {
-		if err := unix.Prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); err != nil {
+		if err := unix.Prctl(unix.PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); err != nil {
 			return err
 		}
 	}

Original file line number	Diff line number	Diff line change
`@@ -43,7 +43,7 @@ func (l *linuxSetnsInit) Init() error {`
`43`	`43`	`}`
`44`	`44`	`}`
`45`	`45`	`if l.config.NoNewPrivileges {`
`46`		`- if err := unix.Prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); err != nil {`
	`46`	`+ if err := unix.Prctl(unix.PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); err != nil {`
`47`	`47`	`return err`
`48`	`48`	`}`
`49`	`49`	`}`
Original file line number	Diff line number	Diff line change
`@@ -42,10 +42,6 @@ func (l *linuxStandardInit) getSessionRingParams() (string, uint32, uint32) {`
`42`	`42`	`return fmt.Sprintf("_ses.%s", l.config.ContainerId), 0xffffffff, newperms`
`43`	`43`	`}`
`44`	`44`
`45`		`-// PR_SET_NO_NEW_PRIVS isn't exposed in Golang so we define it ourselves copying the value`
`46`		`-// the kernel`
`47`		`-const PR_SET_NO_NEW_PRIVS = 0x26`
`48`		`-`
`49`	`45`	`func (l *linuxStandardInit) Init() error {`
`50`	`46`	`if !l.config.Config.NoNewKeyring {`
`51`	`47`	`ringname, keepperms, newperms := l.getSessionRingParams()`
`@@ -128,7 +124,7 @@ func (l *linuxStandardInit) Init() error {`
`128`	`124`	`return err`
`129`	`125`	`}`
`130`	`126`	`if l.config.NoNewPrivileges {`
`131`		`- if err := unix.Prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); err != nil {`
	`127`	`+ if err := unix.Prctl(unix.PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); err != nil {`
`132`	`128`	`return err`
`133`	`129`	`}`
`134`	`130`	`}`