commit f7ee799023657126a89134cd64ab6a7638b4d1bf
from: Omar Polo <op@omarpolo.com>
date: Sat Oct 02 17:20:10 2021 UTC

enforce PR_SET_NO_NEW_PRIVS in the logger process

otherwise landlock will refuse to enable itself and the logger process
dies.

commit - 0c66b6ad55416d9fca326c04b038784a9e59a84e
commit + f7ee799023657126a89134cd64ab6a7638b4d1bf
blob - 1d6b186557d8ec51faeacd42d456e955a59e02b9
blob + 364f9daa8f3713f9f0941b1f4a7c95341053f927
--- sandbox.c
+++ sandbox.c
@@ -587,6 +587,10 @@ sandbox_logger_process(void)
 	 * Landlock is a simpler beast, use it to disallow any file
 	 * sytsem access.
 	 */
+
+	if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == -1)
+		fatal("%s: prctl(PR_SET_NO_NEW_PRIVS): %s",
+		    __func__, strerror(errno));
 
 #if HAVE_LANDLOCK
 	if (logger_landlock() == -1)