diff options
| author |   Mike Frysinger <vapier@gentoo.org> | 2021-10-21 20:20:58 -0400 |
|---|---|---|
| committer | Mike Frysinger <vapier@gentoo.org> | 2021-10-23 20:54:46 -0400 |
| commit | f0d8469ab6f3a4039038bf86cc829e917b596f40 (patch) | |
| tree | 25fb9ed1dd03c33514259e3631eb4fc031eef4a1 /src | |
| parent | tests: fix lremovexattr typo (diff) | |
| download | sandbox-f0d8469ab6f3a4039038bf86cc829e917b596f40.tar.gz sandbox-f0d8469ab6f3a4039038bf86cc829e917b596f40.tar.bz2 sandbox-f0d8469ab6f3a4039038bf86cc829e917b596f40.zip | |
sandbox: leverage PR_SET_NO_NEW_PRIVS when availablev2.27
This will lock down the ability to use set*id programs (like sudo),
and will allow us to utilize seccomp bpf to speed up ptrace.
Closes: https://bugs.gentoo.org/442172
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
Diffstat (limited to 'src')
| -rw-r--r-- | src/sandbox.c | 16 |
1 files changed, 16 insertions, 0 deletions
diff --git a/src/sandbox.c b/src/sandbox.c index 7582dee..d74abd9 100644 --- a/src/sandbox.c +++ b/src/sandbox.c @@ -278,6 +278,22 @@ int main(int argc, char **argv) } } +#ifdef HAVE_PRCTL + /* Lock down access to elevated privileges. In practice, this will block + * use of tools like su and sudo, and will allow use of seccomp bpf. + */ +# ifdef PR_SET_NO_NEW_PRIVS + if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == -1) { + /* Ignore EINVAL in case we're on old kernels. Unfortunately we can't + * differentiate between EINVAL due to unsupported PR_xxx and EINVAL + * due to bad 2nd/3rd/4th/5th args. + */ + if (errno != EINVAL) + sb_eerror("prctl(PR_SET_NO_NEW_PRIVS) failed"); + } +# endif +#endif + /* Set up the required signal handlers */ int sigs[] = { SIGHUP, SIGINT, SIGQUIT, SIGTERM, SIGUSR1, }; struct sigaction act_new, act_old[ARRAY_SIZE(sigs)]; |