Disable securebits again to avoid spawned programs unexpectedly retaining capabilitie...

author Robert Swiecki <robert@swiecki.net>

Mon, 1 Jul 2019 12:51:32 +0000 (14:51 +0200)

committer Robert Swiecki <robert@swiecki.net>

Mon, 1 Jul 2019 12:51:32 +0000 (14:51 +0200)
author Robert Swiecki <robert@swiecki.net>
Mon, 1 Jul 2019 12:51:32 +0000 (14:51 +0200)
committer Robert Swiecki <robert@swiecki.net>
Mon, 1 Jul 2019 12:51:32 +0000 (14:51 +0200)
diff --git a/user.cc b/user.cc

index 3acf3a663a93166ebea48c983160f8361d6ac1a4..0af3e62003004a3e5ee36561b075822d4d335701 100644 (file)
--- a/user.cc
+++ b/user.cc
@@ -276,6 +276,16 @@ bool initNsFromChild(nsjconf_t* nsjconf) {
                 return false;
         }
  
+       /*
+        * Disable securebits again to avoid spawned programs
+        * unexpectedly retaining capabilities after a UID/GID
+        * change.
+        */
+       if (prctl(PR_SET_SECUREBITS, 0UL, 0UL, 0UL, 0UL) == -1) {
+               PLOG_E("prctl(PR_SET_SECUREBITS, 0)");
+               return false;
+       }
+
         return true;
  }
author	Robert Swiecki <robert@swiecki.net>
	Mon, 1 Jul 2019 12:51:32 +0000 (14:51 +0200)
committer	Robert Swiecki <robert@swiecki.net>
	Mon, 1 Jul 2019 12:51:32 +0000 (14:51 +0200)