modules/pam_limits: add support for nonewprivs

Expose prctl(PR_SET_NO_NEW_PRIVS) as "nonewprivs" item. The valid values are a boolean toggle 0/1 to keep semi-consistent with the other numeric limits. It's slightly awkward as this is an oddball relative to the other items in pam_limits but outside of the item value itself this does seem at home in pam_limits. Resolves: https://github.com/linux-pam/linux-pam/issues/224 Resolves: https://github.com/linux-pam/linux-pam/pull/225
author: Vito Caputo <vcaputo@pengaru.com> 2020-05-12 07:42:52 -0700
committer: Dmitry V. Levin <ldv@altlinux.org> 2020-06-22 23:26:13 +0000
commit: dd9cf929e7ec79e5341a44119e00d70ec7dd5f51 (patch)
tree: cfd40a252329deccb35412d9b03512fd8674318d /modules/pam_limits/limits.conf.5.xml
parent: 0e9b286afe1224b91ff00936058b084ad4b776e4 (diff)
1 files changed, 10 insertions, 1 deletions
diff --git a/modules/pam_limits/limits.conf.5.xml b/modules/pam_limits/limits.conf.5.xml
index 380a1399..cd64ac90 100644
--- a/modules/pam_limits/limits.conf.5.xml
+++ b/modules/pam_limits/limits.conf.5.xml
@@ -228,6 +228,13 @@
               </listitem>
             </varlistentry>
             <varlistentry>
+              <term><option>nonewprivs</option></term>
+              <listitem>
+                <para>value of 0 or 1; if set to 1 disables acquiring new
+                  privileges by invoking prctl(PR_SET_NO_NEW_PRIVS)</para>
+              </listitem>
+            </varlistentry>
+            <varlistentry>
               <term><option>priority</option></term>
               <listitem>
                 <para>the priority to run user process with (negative
@@ -274,7 +281,8 @@
     <para>
       All items support the values <emphasis>-1</emphasis>,
       <emphasis>unlimited</emphasis> or <emphasis>infinity</emphasis> indicating no limit,
-      except for <emphasis remap='B'>priority</emphasis> and <emphasis remap='B'>nice</emphasis>.
+      except for <emphasis remap='B'>priority</emphasis>, <emphasis remap='B'>nice</emphasis>,
+      and <emphasis remap='B'>nonewprivs</emphasis>.
     </para>
     <para>
       If a hard limit or soft limit of a resource is set to a valid value,
@@ -323,6 +331,7 @@
 @faculty        hard    nproc           50
 ftp             hard    nproc           0
 @student        -       maxlogins       4
+@student        -       nonewprivs      1
 :123            hard    cpu             5000
 @500:           soft    cpu             10000
 600:700         hard    locks           10
author	Vito Caputo <vcaputo@pengaru.com>	2020-05-12 07:42:52 -0700
committer	Dmitry V. Levin <ldv@altlinux.org>	2020-06-22 23:26:13 +0000
commit	dd9cf929e7ec79e5341a44119e00d70ec7dd5f51 (patch)
tree	cfd40a252329deccb35412d9b03512fd8674318d /modules/pam_limits/limits.conf.5.xml
parent	0e9b286afe1224b91ff00936058b084ad4b776e4 (diff)