fix: Drop additional capabilities in the reloader.

Bug: NA Change-Id: Id0fe14c38b28e9ce3c459ba22031da63cd928b58 GitOrigin-RevId: 35e430df40018c721f1b335d667d7fe0721d5c79
privacysandbox · Jan 15, 2025 · 99c60f3 · 99c60f3
1 parent b659f7d
commit 99c60f3
Showing 1 changed file with 5 additions and 0 deletions.
diff --git a/src/roma/byob/container/run_workers.cc b/src/roma/byob/container/run_workers.cc
@@ -306,6 +306,11 @@ int ReloaderImpl(void* arg) {
        GetSourcesAndTargets(reloader_impl_arg.mounts)) {
     sources_and_targets_read_only.push_back({target, target});
   }
+  CHECK_OK(SetPrctlOptions({{PR_CAPBSET_DROP, CAP_SYS_BOOT},
+                            {PR_CAPBSET_DROP, CAP_SYS_MODULE},
+                            {PR_CAPBSET_DROP, CAP_SYS_RAWIO},
+                            {PR_CAPBSET_DROP, CAP_MKNOD},
+                            {PR_CAPBSET_DROP, CAP_NET_ADMIN}}));
   while (true) {
     // Start a new worker.
     const std::string execution_token = GenerateUuid();