Init user-ns setresuid/setresgid before initializing other NSes
This commit is contained in:
Robert Swiecki
parent
a0cc72aa5c
commit
3b83267cfd
3
Makefile
3
Makefile
@ -79,7 +79,8 @@ indent:
|
||||
|
||||
nsjail.o: nsjail.h common.h cmdline.h log.h net.h subproc.h
|
||||
cmdline.o: cmdline.h common.h log.h util.h
|
||||
contain.o: contain.h common.h cgroup.h log.h mount.h net.h pid.h util.h uts.h
|
||||
contain.o: contain.h common.h cgroup.h log.h mount.h net.h pid.h user.h
|
||||
contain.o: util.h uts.h
|
||||
log.o: log.h common.h
|
||||
cgroup.o: cgroup.h common.h log.h util.h
|
||||
mount.o: mount.h common.h log.h subproc.h util.h
|
||||
|
||||
26
contain.c
26
contain.c
@ -47,9 +47,15 @@
|
||||
#include "mount.h"
|
||||
#include "net.h"
|
||||
#include "pid.h"
|
||||
#include "user.h"
|
||||
#include "util.h"
|
||||
#include "uts.h"
|
||||
|
||||
static bool containUserNs(struct nsjconf_t *nsjconf)
|
||||
{
|
||||
return userInitNsFromChild(nsjconf);
|
||||
}
|
||||
|
||||
static bool containInitPidNs(struct nsjconf_t *nsjconf)
|
||||
{
|
||||
return pidInitNs(nsjconf);
|
||||
@ -72,23 +78,6 @@ static bool containInitCgroupNs(void)
|
||||
|
||||
static bool containDropPrivs(struct nsjconf_t *nsjconf)
|
||||
{
|
||||
/*
|
||||
* Best effort because of /proc/self/setgroups
|
||||
*/
|
||||
gid_t *group_list = NULL;
|
||||
if (setgroups(0, group_list) == -1) {
|
||||
PLOG_D("setgroups(NULL) failed");
|
||||
}
|
||||
if (syscall(__NR_setresgid, nsjconf->inside_gid, nsjconf->inside_gid, nsjconf->inside_gid)
|
||||
== -1) {
|
||||
PLOG_E("setresgid(%u)", nsjconf->inside_gid);
|
||||
return false;
|
||||
}
|
||||
if (syscall(__NR_setresuid, nsjconf->inside_uid, nsjconf->inside_uid, nsjconf->inside_uid)
|
||||
== -1) {
|
||||
PLOG_E("setresuid(%u)", nsjconf->inside_uid);
|
||||
return false;
|
||||
}
|
||||
#ifndef PR_SET_NO_NEW_PRIVS
|
||||
#define PR_SET_NO_NEW_PRIVS 38
|
||||
#endif
|
||||
@ -354,6 +343,9 @@ bool containSetupFD(struct nsjconf_t * nsjconf, int fd_in, int fd_out, int fd_er
|
||||
|
||||
bool containContain(struct nsjconf_t * nsjconf)
|
||||
{
|
||||
if (containUserNs(nsjconf) == false) {
|
||||
return false;
|
||||
}
|
||||
if (containInitPidNs(nsjconf) == false) {
|
||||
return false;
|
||||
}
|
||||
|
||||
24
user.c
24
user.c
@ -29,6 +29,7 @@
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
#include <sys/syscall.h>
|
||||
#include <unistd.h>
|
||||
|
||||
#include "log.h"
|
||||
@ -189,3 +190,26 @@ bool userInitNsFromParent(struct nsjconf_t * nsjconf, pid_t pid)
|
||||
}
|
||||
return true;
|
||||
}
|
||||
|
||||
bool userInitNsFromChild(struct nsjconf_t * nsjconf)
|
||||
{
|
||||
/*
|
||||
* Best effort because of /proc/self/setgroups
|
||||
*/
|
||||
gid_t *group_list = NULL;
|
||||
if (setgroups(0, group_list) == -1) {
|
||||
PLOG_D("setgroups(NULL) failed");
|
||||
}
|
||||
if (syscall(__NR_setresgid, nsjconf->inside_gid, nsjconf->inside_gid, nsjconf->inside_gid)
|
||||
== -1) {
|
||||
PLOG_E("setresgid(%u)", nsjconf->inside_gid);
|
||||
return false;
|
||||
}
|
||||
if (syscall(__NR_setresuid, nsjconf->inside_uid, nsjconf->inside_uid, nsjconf->inside_uid)
|
||||
== -1) {
|
||||
PLOG_E("setresuid(%u)", nsjconf->inside_uid);
|
||||
return false;
|
||||
}
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
Loading…
Reference in New Issue
Block a user