* don't set NO_NEW_PRIVS. This requires changing privilege dropping since
CAP_SYS_ADMIN is needed with seccomp_load(). This means temporarily
dropping until seccomp_load(), then raising before and permanently
dropping after the filter is applied. As a result, setuid/setgid is
required in all policy (but is still mediated by AppArmor)
- LP: #1560211
This bug was fixed in the package ubuntu- core-launcher - 1.0.20
--------------- core-launcher (1.0.20) xenial; urgency=medium
ubuntu-
* don't set NO_NEW_PRIVS. This requires changing privilege dropping since
CAP_SYS_ADMIN is needed with seccomp_load(). This means temporarily
dropping until seccomp_load(), then raising before and permanently
dropping after the filter is applied. As a result, setuid/setgid is
required in all policy (but is still mediated by AppArmor)
- LP: #1560211
-- Jamie Strandboge <email address hidden> Mon, 21 Mar 2016 15:24:33 -0500