woj/nsjail
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

mount: allow to use --disable_newuser for root users

Browse Source
This commit is contained in:
Robert Swiecki 2017-10-01 05:16:01 +02:00
parent 769ff19306
commit 2b797a19fd
4 changed files with 53 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
caps.c
View File

@ -209,6 +209,9 @@ static bool CapsInitNsKeepCaps(cap_user_data_t cap_data)
bool capsInitNs(struct nsjconf_t * nsjconf)
{
char dbgmsg[4096];
struct ints_t *p;
cap_user_data_t cap_data = capsGet();
if (cap_data == NULL) {
return false;
@ -220,11 +223,8 @@ bool capsInitNs(struct nsjconf_t * nsjconf)
return CapsInitNsKeepCaps(cap_data);
}
char dbgmsg[4096];
dbgmsg[0] = '\0';
/* Set all requested caps in the inheritable set if these are present in the permitted set */
struct ints_t *p;
dbgmsg[0] = '\0';
TAILQ_FOREACH(p, &nsjconf->caps, pointers) {
if (capsGetPermitted(cap_data, p->val) == false) {
LOG_W("Capability %s is not permitted in the namespace",
@ -235,22 +235,6 @@ bool capsInitNs(struct nsjconf_t * nsjconf)
capsSetInheritable(cap_data, p->val);
}
LOG_D("Adding the following capabilities to the inheritable set:%s", dbgmsg);
if (capsSet(cap_data) == false) {
return false;
}
/* Make sure inheritable set is preserved across execve via the modified ambient set */
dbgmsg[0] = '\0';
TAILQ_FOREACH(p, &nsjconf->caps, pointers) {
if (prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, (unsigned long)p->val, 0UL, 0UL) ==
-1) {
PLOG_W("prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, %s)",
capsValToStr(p->val));
} else {
utilSSnPrintf(dbgmsg, sizeof(dbgmsg), " %s", capsValToStr(p->val));
}
}
LOG_D("Added the following capabilities to the ambient set:%s", dbgmsg);
/*
* Make sure all other caps (those which were not explicitly requested) are removed from the
@ -269,5 +253,23 @@ bool capsInitNs(struct nsjconf_t * nsjconf)
}
LOG_D("Dropped the following capabilities from the bounding set:%s", dbgmsg);
/* Must be performed after CAPBSET has been manipulated */
if (capsSet(cap_data) == false) {
return false;
}
/* Make sure inheritable set is preserved across execve via the modified ambient set */
dbgmsg[0] = '\0';
TAILQ_FOREACH(p, &nsjconf->caps, pointers) {
if (prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, (unsigned long)p->val, 0UL, 0UL) ==
-1) {
PLOG_W("prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, %s)",
capsValToStr(p->val));
} else {
utilSSnPrintf(dbgmsg, sizeof(dbgmsg), " %s", capsValToStr(p->val));
}
}
LOG_D("Added the following capabilities to the ambient set:%s", dbgmsg);
return true;
}

24
contain.c
View File

@ -89,6 +89,30 @@ static bool containDropPrivs(struct nsjconf_t *nsjconf)
PLOG_W("prctl(PR_SET_NO_NEW_PRIVS, 1)");
}
}
if (nsjconf->clone_newuser == false) {
LOG_D("setresgid(%d, %d, %d)", TAILQ_FIRST(&nsjconf->gids)->inside_id,
TAILQ_FIRST(&nsjconf->gids)->inside_id,
TAILQ_FIRST(&nsjconf->gids)->inside_id);
if (syscall(__NR_setresgid, TAILQ_FIRST(&nsjconf->gids)->inside_id,
TAILQ_FIRST(&nsjconf->gids)->inside_id,
TAILQ_FIRST(&nsjconf->gids)->inside_id)
== -1) {
PLOG_E("setresgid(%u)", TAILQ_FIRST(&nsjconf->gids)->inside_id);
return false;
}
LOG_D("setresuid(%d, %d, %d)", TAILQ_FIRST(&nsjconf->uids)->inside_id,
TAILQ_FIRST(&nsjconf->uids)->inside_id,
TAILQ_FIRST(&nsjconf->uids)->inside_id);
if (syscall(__NR_setresuid, TAILQ_FIRST(&nsjconf->uids)->inside_id,
TAILQ_FIRST(&nsjconf->uids)->inside_id,
TAILQ_FIRST(&nsjconf->uids)->inside_id)
== -1) {
PLOG_E("setresuid(%u)", TAILQ_FIRST(&nsjconf->uids)->inside_id);
return false;
}
}
if (capsInitNs(nsjconf) == false) {
return false;
}

4
mount.c
View File

@ -314,8 +314,8 @@ static bool mountInitNsInternal(struct nsjconf_t *nsjconf)
return false;
}
if (mount("/", "/", NULL, MS_BIND | MS_REC | MS_PRIVATE | MS_REMOUNT, NULL) == -1) {
PLOG_E("mount('/', '/', NULL, MS_BIND|MS_REC|MS_PRIVATE|MS_REMOUNT, NULL)");
if (mount("/", "/", NULL, MS_REC | MS_PRIVATE, NULL) == -1) {
PLOG_E("mount('/', '/', NULL, MS_REC|MS_PRIVATE, NULL)");
return false;
}
if (mount(NULL, destdir, "tmpfs", 0, "size=16777216") == -1) {

5
user.c
View File

@ -263,6 +263,11 @@ bool userInitNsFromChild(struct nsjconf_t * nsjconf)
if (setgroups(0, group_list) == -1) {
PLOG_D("setgroups(NULL) failed");
}
if (nsjconf->clone_newuser == false) {
return true;
}
LOG_D("setresgid(%d, %d, %d)", TAILQ_FIRST(&nsjconf->gids)->inside_id,
TAILQ_FIRST(&nsjconf->gids)->inside_id, TAILQ_FIRST(&nsjconf->gids)->inside_id);
if (syscall(__NR_setresgid, TAILQ_FIRST(&nsjconf->gids)->inside_id,