prctl: Migrate prctl(NO_NEW_PRIVS) setting.

Signed-off-by: Michał Mirosław <emmir@google.com>

criu/include/parasite.h

@@ -148,6 +148,7 @@ struct parasite_dump_creds {
 
 	int uids[4];
 	int gids[4];
+	int no_new_privs;
 	unsigned int secbits;
 	unsigned int ngroups;
 	/*

criu/include/prctl.h

@@ -30,6 +30,12 @@
 #ifndef PR_SET_DUMPABLE
 #define PR_SET_DUMPABLE 4
 #endif
+#ifndef PR_GET_NO_NEW_PRIVS
+#define PR_GET_NO_NEW_PRIVS 39
+#endif
+#ifndef PR_SET_NO_NEW_PRIVS
+#define PR_SET_NO_NEW_PRIVS 38
+#endif
 
 #ifndef PR_SET_MM
 #define PR_SET_MM	      35

criu/parasite-syscall.c

@@ -115,6 +115,10 @@ static int alloc_groups_copy_creds(CredsEntry *ce, struct parasite_dump_creds *c
 	memcpy(ce->cap_eff, c->cap_eff, sizeof(c->cap_eff[0]) * CR_CAP_SIZE);
 	memcpy(ce->cap_bnd, c->cap_bnd, sizeof(c->cap_bnd[0]) * CR_CAP_SIZE);
 
+	if (c->no_new_privs > 0) {
+		ce->no_new_privs = c->no_new_privs;
+		ce->has_no_new_privs = true;
+	}
 	ce->secbits = c->secbits;
 	ce->n_groups = c->ngroups;
 

criu/pie/parasite.c

@@ -268,6 +268,7 @@ static int dump_creds(struct parasite_dump_creds *args)
 		}
 	}
 
+	args->no_new_privs = sys_prctl(PR_GET_NO_NEW_PRIVS, 0, 0, 0, 0);
 	args->secbits = sys_prctl(PR_GET_SECUREBITS, 0, 0, 0, 0);
 
 	ret = sys_getgroups(0, NULL);

criu/pie/restorer.c

@@ -345,6 +345,14 @@ skip_xids:
 	if (lsm_set_label(args->lsm_sockcreate, "sockcreate", procfd) < 0)
 		return -1;
 
+	if (ce->has_no_new_privs && ce->no_new_privs) {
+		ret = sys_prctl(PR_SET_NO_NEW_PRIVS, ce->no_new_privs, 0, 0, 0);
+		if (ret) {
+			pr_err("Unable to set no_new_privs=%d: %d\n", ce->no_new_privs, ret);
+			return -1;
+		}
+	}
+
 	return 0;
 }
 

images/creds.proto

@@ -24,4 +24,5 @@ message creds_entry {
 	optional string lsm_profile = 15;
 	optional string lsm_sockcreate = 16;
 	optional bytes	apparmor_data	= 17;
+	optional uint32	no_new_privs	= 18;
 }