From fc56d74506588fcf57c1dfcc81a83c3e98a75479 Mon Sep 17 00:00:00 2001
From: xiacong <xiacong4@huawei.com>
Date: Tue, 20 Jun 2023 15:32:35 +0800
Subject: [PATCH] =?UTF-8?q?bugfix:=20nwebspawn=E8=AE=BE=E7=BD=AEseccomp?=
 =?UTF-8?q?=EF=BC=8C=E7=B3=BB=E7=BB=9F=E8=B0=83=E7=94=A8=E8=8C=83=E5=9B=B4?=
 =?UTF-8?q?=E4=B8=8D=E5=8C=85=E6=8B=ACsetuid=EF=BC=8Csetgid?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: xiacong <xiacong4@huawei.com>
Change-Id: I11c9f42a4bf7efb43f25af6560399d3fd21bd0ce
Signed-off-by: xiacong <xiacong4@huawei.com>
---
 adapter/appspawn_adapter.cpp | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/adapter/appspawn_adapter.cpp b/adapter/appspawn_adapter.cpp
index 9f2caa0d..d0e978d1 100644
--- a/adapter/appspawn_adapter.cpp
+++ b/adapter/appspawn_adapter.cpp
@@ -24,6 +24,9 @@
 #include "token_setproc.h"
 #ifdef WITH_SECCOMP
 #include "seccomp_policy.h"
+#include <sys/prctl.h>
+
+const char* RENDERER_NAME = "renderer";
 #endif
 
 void SetAppAccessToken(struct AppSpawnContent_ *content, AppSpawnClient *client)
@@ -60,7 +63,15 @@ void SetSelinuxCon(struct AppSpawnContent_ *content, AppSpawnClient *client)
 void SetUidGidFilter(struct AppSpawnContent_ *content)
 {
 #ifdef WITH_SECCOMP
+#ifdef NWEB_SPAWN
+    if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
+        APPSPAWN_LOGE("Failed to set no new privs");
+    }
+
+    if (!SetSeccompPolicyWithName(INDIVIDUAL, NWEBSPAWN_NAME)) {
+#else
     if (!SetSeccompPolicyWithName(INDIVIDUAL, APPSPAWN_NAME)) {
+#endif
         APPSPAWN_LOGE("Failed to set APPSPAWN seccomp filter and exit");
 #ifndef APPSPAWN_TEST
         _exit(0x7f);
@@ -75,7 +86,7 @@ int SetSeccompFilter(struct AppSpawnContent_ *content, AppSpawnClient *client)
 {
 #ifdef WITH_SECCOMP
 #ifdef NWEB_SPAWN
-    const char *appName = NWEBSPAWN_NAME;
+    const char *appName = RENDERER_NAME;
     SeccompFilterType type = INDIVIDUAL;
 #else
     const char *appName = APP_NAME;