mount: allow to use --disable_newuser for root users
This commit is contained in:
parent
769ff19306
commit
2b797a19fd
42
caps.c
42
caps.c
@ -209,6 +209,9 @@ static bool CapsInitNsKeepCaps(cap_user_data_t cap_data)
|
||||
|
||||
bool capsInitNs(struct nsjconf_t * nsjconf)
|
||||
{
|
||||
char dbgmsg[4096];
|
||||
struct ints_t *p;
|
||||
|
||||
cap_user_data_t cap_data = capsGet();
|
||||
if (cap_data == NULL) {
|
||||
return false;
|
||||
@ -220,11 +223,8 @@ bool capsInitNs(struct nsjconf_t * nsjconf)
|
||||
return CapsInitNsKeepCaps(cap_data);
|
||||
}
|
||||
|
||||
char dbgmsg[4096];
|
||||
dbgmsg[0] = '\0';
|
||||
|
||||
/* Set all requested caps in the inheritable set if these are present in the permitted set */
|
||||
struct ints_t *p;
|
||||
dbgmsg[0] = '\0';
|
||||
TAILQ_FOREACH(p, &nsjconf->caps, pointers) {
|
||||
if (capsGetPermitted(cap_data, p->val) == false) {
|
||||
LOG_W("Capability %s is not permitted in the namespace",
|
||||
@ -235,22 +235,6 @@ bool capsInitNs(struct nsjconf_t * nsjconf)
|
||||
capsSetInheritable(cap_data, p->val);
|
||||
}
|
||||
LOG_D("Adding the following capabilities to the inheritable set:%s", dbgmsg);
|
||||
if (capsSet(cap_data) == false) {
|
||||
return false;
|
||||
}
|
||||
|
||||
/* Make sure inheritable set is preserved across execve via the modified ambient set */
|
||||
dbgmsg[0] = '\0';
|
||||
TAILQ_FOREACH(p, &nsjconf->caps, pointers) {
|
||||
if (prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, (unsigned long)p->val, 0UL, 0UL) ==
|
||||
-1) {
|
||||
PLOG_W("prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, %s)",
|
||||
capsValToStr(p->val));
|
||||
} else {
|
||||
utilSSnPrintf(dbgmsg, sizeof(dbgmsg), " %s", capsValToStr(p->val));
|
||||
}
|
||||
}
|
||||
LOG_D("Added the following capabilities to the ambient set:%s", dbgmsg);
|
||||
|
||||
/*
|
||||
* Make sure all other caps (those which were not explicitly requested) are removed from the
|
||||
@ -269,5 +253,23 @@ bool capsInitNs(struct nsjconf_t * nsjconf)
|
||||
}
|
||||
LOG_D("Dropped the following capabilities from the bounding set:%s", dbgmsg);
|
||||
|
||||
/* Must be performed after CAPBSET has been manipulated */
|
||||
if (capsSet(cap_data) == false) {
|
||||
return false;
|
||||
}
|
||||
|
||||
/* Make sure inheritable set is preserved across execve via the modified ambient set */
|
||||
dbgmsg[0] = '\0';
|
||||
TAILQ_FOREACH(p, &nsjconf->caps, pointers) {
|
||||
if (prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, (unsigned long)p->val, 0UL, 0UL) ==
|
||||
-1) {
|
||||
PLOG_W("prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, %s)",
|
||||
capsValToStr(p->val));
|
||||
} else {
|
||||
utilSSnPrintf(dbgmsg, sizeof(dbgmsg), " %s", capsValToStr(p->val));
|
||||
}
|
||||
}
|
||||
LOG_D("Added the following capabilities to the ambient set:%s", dbgmsg);
|
||||
|
||||
return true;
|
||||
}
|
||||
|
24
contain.c
24
contain.c
@ -89,6 +89,30 @@ static bool containDropPrivs(struct nsjconf_t *nsjconf)
|
||||
PLOG_W("prctl(PR_SET_NO_NEW_PRIVS, 1)");
|
||||
}
|
||||
}
|
||||
|
||||
if (nsjconf->clone_newuser == false) {
|
||||
LOG_D("setresgid(%d, %d, %d)", TAILQ_FIRST(&nsjconf->gids)->inside_id,
|
||||
TAILQ_FIRST(&nsjconf->gids)->inside_id,
|
||||
TAILQ_FIRST(&nsjconf->gids)->inside_id);
|
||||
if (syscall(__NR_setresgid, TAILQ_FIRST(&nsjconf->gids)->inside_id,
|
||||
TAILQ_FIRST(&nsjconf->gids)->inside_id,
|
||||
TAILQ_FIRST(&nsjconf->gids)->inside_id)
|
||||
== -1) {
|
||||
PLOG_E("setresgid(%u)", TAILQ_FIRST(&nsjconf->gids)->inside_id);
|
||||
return false;
|
||||
}
|
||||
LOG_D("setresuid(%d, %d, %d)", TAILQ_FIRST(&nsjconf->uids)->inside_id,
|
||||
TAILQ_FIRST(&nsjconf->uids)->inside_id,
|
||||
TAILQ_FIRST(&nsjconf->uids)->inside_id);
|
||||
if (syscall(__NR_setresuid, TAILQ_FIRST(&nsjconf->uids)->inside_id,
|
||||
TAILQ_FIRST(&nsjconf->uids)->inside_id,
|
||||
TAILQ_FIRST(&nsjconf->uids)->inside_id)
|
||||
== -1) {
|
||||
PLOG_E("setresuid(%u)", TAILQ_FIRST(&nsjconf->uids)->inside_id);
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
if (capsInitNs(nsjconf) == false) {
|
||||
return false;
|
||||
}
|
||||
|
4
mount.c
4
mount.c
@ -314,8 +314,8 @@ static bool mountInitNsInternal(struct nsjconf_t *nsjconf)
|
||||
return false;
|
||||
}
|
||||
|
||||
if (mount("/", "/", NULL, MS_BIND | MS_REC | MS_PRIVATE | MS_REMOUNT, NULL) == -1) {
|
||||
PLOG_E("mount('/', '/', NULL, MS_BIND|MS_REC|MS_PRIVATE|MS_REMOUNT, NULL)");
|
||||
if (mount("/", "/", NULL, MS_REC | MS_PRIVATE, NULL) == -1) {
|
||||
PLOG_E("mount('/', '/', NULL, MS_REC|MS_PRIVATE, NULL)");
|
||||
return false;
|
||||
}
|
||||
if (mount(NULL, destdir, "tmpfs", 0, "size=16777216") == -1) {
|
||||
|
5
user.c
5
user.c
@ -263,6 +263,11 @@ bool userInitNsFromChild(struct nsjconf_t * nsjconf)
|
||||
if (setgroups(0, group_list) == -1) {
|
||||
PLOG_D("setgroups(NULL) failed");
|
||||
}
|
||||
|
||||
if (nsjconf->clone_newuser == false) {
|
||||
return true;
|
||||
}
|
||||
|
||||
LOG_D("setresgid(%d, %d, %d)", TAILQ_FIRST(&nsjconf->gids)->inside_id,
|
||||
TAILQ_FIRST(&nsjconf->gids)->inside_id, TAILQ_FIRST(&nsjconf->gids)->inside_id);
|
||||
if (syscall(__NR_setresgid, TAILQ_FIRST(&nsjconf->gids)->inside_id,
|
||||
|
Loading…
Reference in New Issue
Block a user