Skip to content

Instantly share code, notes, and snippets.

@gebi

gebi/Readme.md

Created September 9, 2012 21:29
Show Gist options
  • Save gebi/3687422 to your computer and use it in GitHub Desktop.
Save gebi/3687422 to your computer and use it in GitHub Desktop.
Download ZIP
NNP - No New Privileges
Raw
Readme.md

NNP - No New Privileges

NO_NEW_Privileges is a new linux mechanism to make sure a program or any child thereof can not gain any new privileges.

This sample program is based on http://www.outflux.net/blog/archives/2012/03/26/keeping-your-process-unprivileged/ from Kees Cook.

COMPILE

gcc -Wall -O2 nnp.c -o nnp

EXAMPLES

% nnp ping localhost
ping: icmp open socket: Operation not permitted.

% nnp mtr localhost
mtr: unable to get raw sockets.

Raw
nnp.c
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/prctl.h>
#ifndef PR_SET_NO_NEW_PRIVS
# define PR_SET_NO_NEW_PRIVS 38
#endif
int main(int argc, char * argv[])
{
if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
perror("prctl(NO_NEW_PRIVS)");
return EXIT_FAILURE;
}
if (argc <= 1) {
fprintf(stderr, "nnp: missing operand\n");
return EXIT_FAILURE;
}
return execvp(argv[1], &argv[1]);
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment