woj/nsjail
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

allow setgroups when using exclusively newgid

Browse Source
This commit is contained in:
Wiktor Garbacz 2019-11-01 13:40:25 +01:00
parent 2ca90bf208
commit 1111bb135a
1 changed files with 12 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
user.cc
View File

@ -77,12 +77,21 @@ static bool setResUid(uid_t uid) {
return true;
}
static bool hasGidMapSelf(nsjconf_t* nsjconf) {
for (const auto& gid : nsjconf->gids) {
if (!gid.is_newidmap) {
return true;
}
}
return false;
}
static bool setGroupsDeny(nsjconf_t* nsjconf, pid_t pid) {
/*
* No need to write 'deny' to /proc/pid/setgroups if our euid==0, as writing to
* uid_map/gid_map will succeed anyway
*/
if (!nsjconf->clone_newuser || nsjconf->orig_euid == 0) {
if (!nsjconf->clone_newuser || nsjconf->orig_euid == 0 || !hasGidMapSelf(nsjconf)) {
return true;
}
@ -153,7 +162,7 @@ static bool gidMapSelf(nsjconf_t* nsjconf, pid_t pid) {
}
/* Use /usr/bin/newgidmap for writing the gid map */
static bool gidMapExternal(nsjconf_t* nsjconf, pid_t pid UNUSED) {
static bool gidMapExternal(nsjconf_t* nsjconf, pid_t pid) {
bool use = false;
std::vector<std::string> argv = {"/usr/bin/newgidmap", std::to_string(pid)};
@ -179,7 +188,7 @@ static bool gidMapExternal(nsjconf_t* nsjconf, pid_t pid UNUSED) {
}
/* Use /usr/bin/newuidmap for writing the uid map */
static bool uidMapExternal(nsjconf_t* nsjconf, pid_t pid UNUSED) {
static bool uidMapExternal(nsjconf_t* nsjconf, pid_t pid) {
bool use = false;
std::vector<std::string> argv = {"/usr/bin/newuidmap", std::to_string(pid)};