Index: filed.c
==================================================================
--- filed.c
+++ filed.c
@@ -1,8 +1,9 @@
 #include <sys/sendfile.h>
 #include <sys/socket.h>
 #include <sys/types.h>
+#include <sys/prctl.h>
 #include <arpa/inet.h>
 #include <sys/mman.h>
 #include <sys/stat.h>
 #include <sys/wait.h>
 #include <pthread.h>
@@ -1461,10 +1462,13 @@
 			perror("setuid");
 
 			return(1);
 		}
 	}
+
+	/* Do not allow any privilege changes beyond this point */
+	prctl(PR_SET_NO_NEW_PRIVS, 1);
 
 	/* Initialize */
 	init_ret = filed_init(cache_size);
 	if (init_ret != 0) {
 		perror("filed_init");