system.set_no_new_privs

Synopsis

local system = require "system"
system.set_no_new_privs()

Description

Set the no_new_privs attribute for the calling process (i.e. threads are synchronized even on Linux).

Only the master VM is allowed to use this function.

Bugs

There’s a libpsx bug that prevents thread synchronization to work: https://bugzilla.kernel.org/show_bug.cgi?id=218607.

You may use system.seccomp_set_mode_filter() afterwards to synchronize the no_new_privs bit in all threads.