def set_no_new_privs():
"""
Set `no_new_privs`.
Notes
-----
- With `no_new_privs` set, `execve` promises not to grant the privilege to do anything that could not have been
done without the `execve` call.
- See `prctl manual page <http://man7.org/linux/man-pages/man2/prctl.2.html>`_
"""
py_prctl(C.PRCTL[b'set_no_new_privs'], 1, 0, 0, 0)
def set_keep_caps(locked=True):
"""
Set the `SECBIT_KEEP_CAPS` securebit.
Parameters
----------
locked: bool
if True, also set `SECBIT_KEEP_CAPS_LOCKED`
Raises
------
RuntimeError
if operation fails
"""
current = get_securebits()[0]
modified = (current | C.SECBIT_KEEP_CAPS_LOCKED | C.SECBIT_KEEP_CAPS) if locked else (current | C.SECBIT_KEEP_CAPS)
res = py_prctl(C.PRCTL[b'set_securebits'], modified, 0, 0, 0)
if res == -1:
raise RuntimeError("set_keep_caps failed")
def set_no_setuid_fixup(locked=True):
"""
Set the `SECBIT_NO_SETUID_FIXUP` securebit.
Parameters
----------
locked: bool
if True, also set `SECBIT_NO_SETUID_FIXUP_LOCKED`
Raises
------
RuntimeError
if operation fails
"""
current = get_securebits()[0]
modified = (current | C.SECBIT_NO_SETUID_FIXUP_LOCKED | C.SECBIT_NO_SETUID_FIXUP) if locked \
else (current | C.SECBIT_NO_SETUID_FIXUP)
res = py_prctl(C.PRCTL[b'set_securebits'], modified, 0, 0, 0)
if res == -1:
raise RuntimeError("set_no_setuid_fixup failed")
def get_securebits():
"""
Return the currently defined secure bits
Returns
-------
2uple (the securebits as an int, a dict of securebits)
"""
res = py_prctl(C.PRCTL[b'get_securebits'], 0, 0, 0, 0)
if res == -1:
raise RuntimeError("get_securebits() failed")
d = {
'SECBIT_NOROOT': res & C.SECBIT_NOROOT,
'SECBIT_NOROOT_LOCKED': res & C.SECBIT_NOROOT_LOCKED,
'SECBIT_KEEP_CAPS': res & C.SECBIT_KEEP_CAPS,
'SECBIT_KEEP_CAPS_LOCKED': res & C.SECBIT_KEEP_CAPS_LOCKED,
'SECBIT_NO_SETUID_FIXUP': res & C.SECBIT_NO_SETUID_FIXUP,
'SECBIT_NO_SETUID_FIXUP_LOCKED': res & C.SECBIT_NO_SETUID_FIXUP_LOCKED
}
return res, d