Changed the code to this:
@require('get_no_new_privs')
def test_no_new_privs(self):
"""Test the no_new_privs function"""
self.assertEqual(prctl.get_no_new_privs(), 0)
pid = os.fork()
if pid:
self.assertEqual(os.waitpid(pid, 0)[1], 0)
else:
prctl.set_no_new_privs(1)
self.assertEqual(prctl.get_no_new_privs(), 1)
os._exit(0)
if os.geteuid() != 0:
pid = os.fork()
if pid:
>>> self.assertiNotEqual(os.waitpid(pid, 0)[1], 0)
else:
prctl.set_no_new_privs(1)
os.execvp('ping',['ping', '-c1', 'localhost'])
os._exit(0)
and the indicated assert fails. So either ping no longer needs privileges or
the PR_SET_NO_NEW_PRIVS stopped working.