PR_SET_NO_NEW_PRIVS 当一个进程或其子进程设置了PR_SET_NO_NEW_PRIVS 属性, 则其不能访问一些无法share的 操作,如setuid, 和chroot. 这是kernel 3.5 以后加的feature. 主要用于安全目的.
下面这个程序编译并执行后, 就无法使用 sudo su 命令,
http://lwn.net/Articles/478062/
Test it like this:
---- begin test case
#include <sys/prctl.h>
#include <stdio.h>
#include <unistd.h>
#include <errno.h>
#define PR_SET_NO_NEW_PRIVS 36
#define PR_GET_NO_NEW_PRIVS 37
int main()
{
int nnp = prctl(PR_GET_NO_NEW_PRIVS, 0, 0, 0, 0);
if (nnp == -EINVAL) {
printf("Failed!\n");
return 1;
}
printf("nnp was %d\n", nnp);
if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) != 0) {
printf("Failed!\n");
return 1;
}
nnp = prctl(PR_GET_NO_NEW_PRIVS, 0, 0, 0, 0);
if (nnp == -EINVAL) {
printf("Failed!\n");
return 1;
}
printf("nnp is %d\n", nnp);
printf("here goes...\n");
execlp("bash", "bash", NULL);
printf("Failed to exec bash\n");
return 1;
}