PR_SET_NO_NEW_PRIVS
set the calling thread's no_new_privs attribute
- Provided by: manpages-dev (Version: 6.17-1)
- Source: manpages
- Report a bug
LIBRARY
Standard C library (libc, -lc)
SYNOPSIS
#include <linux/prctl.h> /* Definition of PR_* constants */ #include <sys/prctl.h>
int prctl(PR_SET_NO_NEW_PRIVS, 1L, 0L, 0L, 0L);
DESCRIPTION
Set the calling thread's no_new_privs attribute. With no_new_privs set to 1, execve(2) promises not to grant privileges to do anything that could not have been done without the execve(2) call (for example, rendering the set-user-ID and set-group-ID mode bits, and file capabilities non-functional).
Once set, the no_new_privs attribute cannot be unset. The setting of this attribute is inherited by children created by fork(2) and clone(2), and preserved across execve(2).
RETURN VALUE
On success, 0 is returned. On error, -1 is returned, and errno is set to indicate the error.
ERRORS
- EINVAL
- The second argument is not equal to 1L.
FILES
- /proc/pid/status
- Since Linux 4.10, the value of a thread's no_new_privs attribute can be viewed via the NoNewPrivs field in this file.
STANDARDS
Linux.
HISTORY
Linux 3.5.
SEE ALSO
prctl(2), PR_GET_NO_NEW_PRIVS(2const), seccomp(2)
For more information, see the kernel source file Documentation/userspace-api/no_new_privs.rst.