Lines Matching +full:mode +full:- +full:loader

5 The execve system call can grant a newly-started program privileges that
12  - The dynamic loader handles ``LD_*`` environment variables differently if
15  - chroot is disallowed to unprivileged processes, since it would allow
19  - The exec code has special handling for ptrace.
21 These are all ad-hoc fixes.  The ``no_new_privs`` bit (since Linux 3.5) is a
37 in ``no_new_privs`` mode.  (This means that setting up a general-purpose
39 interfere with LSM-based sandboxing.)
47  - Filters installed for the seccomp mode 2 sandbox persist across
48    execve and can change the behavior of newly-executed programs.
52  - By itself, ``no_new_privs`` can be used to reduce the attack surface
56    fcap-using binaries; it will need to compromise something without the