bool capsInitNs(struct nsjconf_t * nsjconf)
{
+ char dbgmsg[4096];
+ struct ints_t *p;
+
cap_user_data_t cap_data = capsGet();
if (cap_data == NULL) {
return false;
return CapsInitNsKeepCaps(cap_data);
}
- char dbgmsg[4096];
- dbgmsg[0] = '\0';
-
/* Set all requested caps in the inheritable set if these are present in the permitted set */
- struct ints_t *p;
+ dbgmsg[0] = '\0';
TAILQ_FOREACH(p, &nsjconf->caps, pointers) {
if (capsGetPermitted(cap_data, p->val) == false) {
LOG_W("Capability %s is not permitted in the namespace",
capsSetInheritable(cap_data, p->val);
}
LOG_D("Adding the following capabilities to the inheritable set:%s", dbgmsg);
- if (capsSet(cap_data) == false) {
- return false;
- }
-
- /* Make sure inheritable set is preserved across execve via the modified ambient set */
- dbgmsg[0] = '\0';
- TAILQ_FOREACH(p, &nsjconf->caps, pointers) {
- if (prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, (unsigned long)p->val, 0UL, 0UL) ==
- -1) {
- PLOG_W("prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, %s)",
- capsValToStr(p->val));
- } else {
- utilSSnPrintf(dbgmsg, sizeof(dbgmsg), " %s", capsValToStr(p->val));
- }
- }
- LOG_D("Added the following capabilities to the ambient set:%s", dbgmsg);
/*
* Make sure all other caps (those which were not explicitly requested) are removed from the
}
LOG_D("Dropped the following capabilities from the bounding set:%s", dbgmsg);
+ /* Must be performed after CAPBSET has been manipulated */
+ if (capsSet(cap_data) == false) {
+ return false;
+ }
+
+ /* Make sure inheritable set is preserved across execve via the modified ambient set */
+ dbgmsg[0] = '\0';
+ TAILQ_FOREACH(p, &nsjconf->caps, pointers) {
+ if (prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, (unsigned long)p->val, 0UL, 0UL) ==
+ -1) {
+ PLOG_W("prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, %s)",
+ capsValToStr(p->val));
+ } else {
+ utilSSnPrintf(dbgmsg, sizeof(dbgmsg), " %s", capsValToStr(p->val));
+ }
+ }
+ LOG_D("Added the following capabilities to the ambient set:%s", dbgmsg);
+
return true;
}
PLOG_W("prctl(PR_SET_NO_NEW_PRIVS, 1)");
}
}
+
+ if (nsjconf->clone_newuser == false) {
+ LOG_D("setresgid(%d, %d, %d)", TAILQ_FIRST(&nsjconf->gids)->inside_id,
+ TAILQ_FIRST(&nsjconf->gids)->inside_id,
+ TAILQ_FIRST(&nsjconf->gids)->inside_id);
+ if (syscall(__NR_setresgid, TAILQ_FIRST(&nsjconf->gids)->inside_id,
+ TAILQ_FIRST(&nsjconf->gids)->inside_id,
+ TAILQ_FIRST(&nsjconf->gids)->inside_id)
+ == -1) {
+ PLOG_E("setresgid(%u)", TAILQ_FIRST(&nsjconf->gids)->inside_id);
+ return false;
+ }
+ LOG_D("setresuid(%d, %d, %d)", TAILQ_FIRST(&nsjconf->uids)->inside_id,
+ TAILQ_FIRST(&nsjconf->uids)->inside_id,
+ TAILQ_FIRST(&nsjconf->uids)->inside_id);
+ if (syscall(__NR_setresuid, TAILQ_FIRST(&nsjconf->uids)->inside_id,
+ TAILQ_FIRST(&nsjconf->uids)->inside_id,
+ TAILQ_FIRST(&nsjconf->uids)->inside_id)
+ == -1) {
+ PLOG_E("setresuid(%u)", TAILQ_FIRST(&nsjconf->uids)->inside_id);
+ return false;
+ }
+ }
+
if (capsInitNs(nsjconf) == false) {
return false;
}
return false;
}
- if (mount("/", "/", NULL, MS_BIND | MS_REC | MS_PRIVATE | MS_REMOUNT, NULL) == -1) {
- PLOG_E("mount('/', '/', NULL, MS_BIND|MS_REC|MS_PRIVATE|MS_REMOUNT, NULL)");
+ if (mount("/", "/", NULL, MS_REC | MS_PRIVATE, NULL) == -1) {
+ PLOG_E("mount('/', '/', NULL, MS_REC|MS_PRIVATE, NULL)");
return false;
}
if (mount(NULL, destdir, "tmpfs", 0, "size=16777216") == -1) {
if (setgroups(0, group_list) == -1) {
PLOG_D("setgroups(NULL) failed");
}
+
+ if (nsjconf->clone_newuser == false) {
+ return true;
+ }
+
LOG_D("setresgid(%d, %d, %d)", TAILQ_FIRST(&nsjconf->gids)->inside_id,
TAILQ_FIRST(&nsjconf->gids)->inside_id, TAILQ_FIRST(&nsjconf->gids)->inside_id);
if (syscall(__NR_setresgid, TAILQ_FIRST(&nsjconf->gids)->inside_id,
projects / platform / upstream / nsjail.git / commitdiff