From: Robert Swiecki Date: Sun, 1 Oct 2017 03:16:01 +0000 (+0200) Subject: mount: allow to use --disable_newuser for root users X-Git-Tag: 1.9~46 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=2b797a19fd1da7ca003a9e29329eae6adacdea68;p=platform%2Fupstream%2Fnsjail.git mount: allow to use --disable_newuser for root users --- diff --git a/caps.c b/caps.c index 87d345a..4a5cc09 100644 --- a/caps.c +++ b/caps.c @@ -209,6 +209,9 @@ static bool CapsInitNsKeepCaps(cap_user_data_t cap_data) bool capsInitNs(struct nsjconf_t * nsjconf) { + char dbgmsg[4096]; + struct ints_t *p; + cap_user_data_t cap_data = capsGet(); if (cap_data == NULL) { return false; @@ -220,11 +223,8 @@ bool capsInitNs(struct nsjconf_t * nsjconf) return CapsInitNsKeepCaps(cap_data); } - char dbgmsg[4096]; - dbgmsg[0] = '\0'; - /* Set all requested caps in the inheritable set if these are present in the permitted set */ - struct ints_t *p; + dbgmsg[0] = '\0'; TAILQ_FOREACH(p, &nsjconf->caps, pointers) { if (capsGetPermitted(cap_data, p->val) == false) { LOG_W("Capability %s is not permitted in the namespace", @@ -235,22 +235,6 @@ bool capsInitNs(struct nsjconf_t * nsjconf) capsSetInheritable(cap_data, p->val); } LOG_D("Adding the following capabilities to the inheritable set:%s", dbgmsg); - if (capsSet(cap_data) == false) { - return false; - } - - /* Make sure inheritable set is preserved across execve via the modified ambient set */ - dbgmsg[0] = '\0'; - TAILQ_FOREACH(p, &nsjconf->caps, pointers) { - if (prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, (unsigned long)p->val, 0UL, 0UL) == - -1) { - PLOG_W("prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, %s)", - capsValToStr(p->val)); - } else { - utilSSnPrintf(dbgmsg, sizeof(dbgmsg), " %s", capsValToStr(p->val)); - } - } - LOG_D("Added the following capabilities to the ambient set:%s", dbgmsg); /* * Make sure all other caps (those which were not explicitly requested) are removed from the @@ -269,5 +253,23 @@ bool capsInitNs(struct nsjconf_t * nsjconf) } LOG_D("Dropped the following capabilities from the bounding set:%s", dbgmsg); + /* Must be performed after CAPBSET has been manipulated */ + if (capsSet(cap_data) == false) { + return false; + } + + /* Make sure inheritable set is preserved across execve via the modified ambient set */ + dbgmsg[0] = '\0'; + TAILQ_FOREACH(p, &nsjconf->caps, pointers) { + if (prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, (unsigned long)p->val, 0UL, 0UL) == + -1) { + PLOG_W("prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, %s)", + capsValToStr(p->val)); + } else { + utilSSnPrintf(dbgmsg, sizeof(dbgmsg), " %s", capsValToStr(p->val)); + } + } + LOG_D("Added the following capabilities to the ambient set:%s", dbgmsg); + return true; } diff --git a/contain.c b/contain.c index 6987f9f..2957002 100644 --- a/contain.c +++ b/contain.c @@ -89,6 +89,30 @@ static bool containDropPrivs(struct nsjconf_t *nsjconf) PLOG_W("prctl(PR_SET_NO_NEW_PRIVS, 1)"); } } + + if (nsjconf->clone_newuser == false) { + LOG_D("setresgid(%d, %d, %d)", TAILQ_FIRST(&nsjconf->gids)->inside_id, + TAILQ_FIRST(&nsjconf->gids)->inside_id, + TAILQ_FIRST(&nsjconf->gids)->inside_id); + if (syscall(__NR_setresgid, TAILQ_FIRST(&nsjconf->gids)->inside_id, + TAILQ_FIRST(&nsjconf->gids)->inside_id, + TAILQ_FIRST(&nsjconf->gids)->inside_id) + == -1) { + PLOG_E("setresgid(%u)", TAILQ_FIRST(&nsjconf->gids)->inside_id); + return false; + } + LOG_D("setresuid(%d, %d, %d)", TAILQ_FIRST(&nsjconf->uids)->inside_id, + TAILQ_FIRST(&nsjconf->uids)->inside_id, + TAILQ_FIRST(&nsjconf->uids)->inside_id); + if (syscall(__NR_setresuid, TAILQ_FIRST(&nsjconf->uids)->inside_id, + TAILQ_FIRST(&nsjconf->uids)->inside_id, + TAILQ_FIRST(&nsjconf->uids)->inside_id) + == -1) { + PLOG_E("setresuid(%u)", TAILQ_FIRST(&nsjconf->uids)->inside_id); + return false; + } + } + if (capsInitNs(nsjconf) == false) { return false; } diff --git a/mount.c b/mount.c index 86b4e42..7d597c0 100644 --- a/mount.c +++ b/mount.c @@ -314,8 +314,8 @@ static bool mountInitNsInternal(struct nsjconf_t *nsjconf) return false; } - if (mount("/", "/", NULL, MS_BIND | MS_REC | MS_PRIVATE | MS_REMOUNT, NULL) == -1) { - PLOG_E("mount('/', '/', NULL, MS_BIND|MS_REC|MS_PRIVATE|MS_REMOUNT, NULL)"); + if (mount("/", "/", NULL, MS_REC | MS_PRIVATE, NULL) == -1) { + PLOG_E("mount('/', '/', NULL, MS_REC|MS_PRIVATE, NULL)"); return false; } if (mount(NULL, destdir, "tmpfs", 0, "size=16777216") == -1) { diff --git a/user.c b/user.c index c4fdeac..bd207cd 100644 --- a/user.c +++ b/user.c @@ -263,6 +263,11 @@ bool userInitNsFromChild(struct nsjconf_t * nsjconf) if (setgroups(0, group_list) == -1) { PLOG_D("setgroups(NULL) failed"); } + + if (nsjconf->clone_newuser == false) { + return true; + } + LOG_D("setresgid(%d, %d, %d)", TAILQ_FIRST(&nsjconf->gids)->inside_id, TAILQ_FIRST(&nsjconf->gids)->inside_id, TAILQ_FIRST(&nsjconf->gids)->inside_id); if (syscall(__NR_setresgid, TAILQ_FIRST(&nsjconf->gids)->inside_id,