I've seen that before using seccomp mode filter you have to set this bit, because it guarantees that a child process can't be executed with greater privileges compared to the parent's ones. But still I can't figure out an exploitation example. Could you show me one?
THEORETICAL SCENARIO: I have a program which can set seccomp filter mode without set no_new_privs bit.
GOAL: show a program which exploits it
This requirement ensures that an unprivileged process cannot apply a malicious filter and then invoke a set-user-ID or other privileged program using execve(2), thus potentially compromising that program. (Such a malicious filter might, for example, cause an attempt to use setuid(2) to set the caller's user IDs to nonzero values to instead return 0 without actually making the system call. Thus, the program might be tricked into retaining superuser privileges in circumstances where it is possible to influence it to do dangerous things because it did not actually drop privileges.)
