Demi Marie Obenour <demiobenour@gmail.com> writes:
This prevents any program on the host from gaining privileges via execve(), ever. There are currently no such programs on the host so this should be a no-op for now.
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com> --- host/rootfs/image/etc/init | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/host/rootfs/image/etc/init b/host/rootfs/image/etc/init index 4085fa55545e7309004967e443e47fc2b82b0663..e9938acec866045962a8ead096d199cbd3792469 100755 --- a/host/rootfs/image/etc/init +++ b/host/rootfs/image/etc/init @@ -2,4 +2,4 @@ # SPDX-License-Identifier: EUPL-1.2+ # SPDX-FileCopyrightText: 2022 Alyssa Ross <hi@alyssa.is>
-/bin/s6-linux-init -c /etc/s6-linux-init -s /run/param -- $@ +/usr/bin/setpriv --no-new-privs -- /bin/s6-linux-init -c /etc/s6-linux-init -s /run/param -- $@
Looks good, but it's a standard chainloader interface so should be on its own line. I'll fix that when I commit.