nspawn: add a new --no-new-privileges= cmdline option to nspawn

This simply controls the PR_SET_NO_NEW_PRIVS flag for the container.
This too is primarily relevant to provide OCI runtime compaitiblity, but
might have other uses too, in particular as it nicely complements the
existing --capability= and --drop-capability= flags.

1 files changed, 5 insertions, 3 deletions

diff --git a/src/nspawn/nspawn-settings.h b/src/nspawn/nspawn-settings.h
index 3d3ee4c28c..130331ee18 100644
--- a/src/nspawn/nspawn-settings.h
+++ b/src/nspawn/nspawn-settings.h
@@ -50,9 +50,10 @@ typedef enum SettingsMask {
         SETTING_PIVOT_ROOT        = UINT64_C(1) << 15,
         SETTING_SYSCALL_FILTER    = UINT64_C(1) << 16,
         SETTING_HOSTNAME          = UINT64_C(1) << 17,
-        SETTING_RLIMIT_FIRST      = UINT64_C(1) << 18, /* we define one bit per resource limit here */
-        SETTING_RLIMIT_LAST       = UINT64_C(1) << (18 + _RLIMIT_MAX - 1),
-        _SETTINGS_MASK_ALL        = (UINT64_C(1) << (18 + _RLIMIT_MAX)) - 1
+        SETTING_NO_NEW_PRIVILEGES = UINT64_C(1) << 18,
+        SETTING_RLIMIT_FIRST      = UINT64_C(1) << 19, /* we define one bit per resource limit here */
+        SETTING_RLIMIT_LAST       = UINT64_C(1) << (19 + _RLIMIT_MAX - 1),
+        _SETTINGS_MASK_ALL        = (UINT64_C(1) << (19 + _RLIMIT_MAX)) - 1
 } SettingsMask;
 
 typedef struct Settings {
@@ -76,6 +77,7 @@ typedef struct Settings {
         char **syscall_blacklist;
         struct rlimit *rlimit[_RLIMIT_MAX];
         char *hostname;
+        int no_new_privileges;
 
         /* [Image] */
         int read_only;