From: Etienne CHAMPETIER Date: Mon, 30 Nov 2015 23:09:24 +0000 (+0000) Subject: ujail: add no_new_privs (-c) option X-Git-Url: http://git.lede-project.org./?a=commitdiff_plain;h=def4c1b9766cf04cfdf42ada9e27fff228d0dc19;p=project%2Fprocd.git ujail: add no_new_privs (-c) option set PR_SET_NO_NEW_PRIVS to 1 Signed-off-by: Etienne CHAMPETIER --- diff --git a/jail/jail.c b/jail/jail.c index 25ad4d7..97ddaab 100644 --- a/jail/jail.c +++ b/jail/jail.c @@ -35,13 +35,14 @@ #include #define STACK_SIZE (1024 * 1024) -#define OPT_ARGS "S:C:n:r:w:d:psulo" +#define OPT_ARGS "S:C:n:r:w:d:psuloc" static struct { char *name; char **jail_argv; char *seccomp; char *capabilities; + int no_new_privs; int namespace; int procfs; int ronly; @@ -212,6 +213,7 @@ static void usage(void) fprintf(stderr, " -d \tshow debug log (increase num to increase verbosity)\n"); fprintf(stderr, " -S \tseccomp filter config\n"); fprintf(stderr, " -C \tcapabilities drop config\n"); + fprintf(stderr, " -c\t\tset PR_SET_NO_NEW_PRIVS\n"); fprintf(stderr, " -n \tthe name of the jail\n"); fprintf(stderr, "namespace jail options:\n"); fprintf(stderr, " -r \treadonly files that should be staged\n"); @@ -239,6 +241,11 @@ static int exec_jail(void) if (opts.capabilities && drop_capabilities(opts.capabilities)) exit(EXIT_FAILURE); + if (opts.no_new_privs && prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) { + ERROR("prctl(PR_SET_NO_NEW_PRIVS) failed: %s\n", strerror(errno)); + exit(EXIT_FAILURE); + } + INFO("exec-ing %s\n", *opts.jail_argv); execve(*opts.jail_argv, opts.jail_argv, envp); /* we get there only if execve fails */ @@ -321,6 +328,9 @@ int main(int argc, char **argv) opts.capabilities = optarg; add_mount(optarg, 1, -1); break; + case 'c': + opts.no_new_privs = 1; + break; case 'n': opts.name = optarg; break;