diff options
author | Colin Walters <walters@verbum.org> | 2015-08-25 18:23:30 -0400 |
---|---|---|
committer | Colin Walters <walters@verbum.org> | 2015-08-25 18:27:15 -0400 |
commit | 123f234aa42e3d57bb13de7206d25108c739e059 (patch) | |
tree | f17c7179c61d1c94a97840b0e8265bd084c71798 | |
parent | 233a52742adf86584701932ee571da75848fec19 (diff) | |
download | linux-user-chroot-123f234aa42e3d57bb13de7206d25108c739e059.tar.gz |
Drop use of SECBIT_NOROOT, hard require PR_SET_NO_NEW_PRIVS
So sadly, I screwed up the invocation of `prctl(PR_SET_NO_NEW_PRIVS` -
we need to provide 0 for the remaining arguments, otherwise the
kernel will *always* give us `-EINVAL`.
I didn't notice this at the time because I wanted to support the RHEL6
kernel. Anyways, I no longer care about RHEL6 myself, and I'm going
to declare no one else should either =)
-rw-r--r-- | configure.ac | 4 | ||||
-rw-r--r-- | src/linux-user-chroot.c | 21 |
2 files changed, 7 insertions, 18 deletions
diff --git a/configure.ac b/configure.ac index 4910b32..a634c5b 100644 --- a/configure.ac +++ b/configure.ac @@ -24,10 +24,6 @@ AC_SUBST(WARN_CFLAGS) LT_PREREQ([2.2.4]) LT_INIT([disable-static]) -AC_CHECK_HEADER([linux/securebits.h], - [AC_DEFINE([HAVE_LINUX_SECUREBITS_H], [1], - [Define to 1 if we have securebits.h])]) - AC_ARG_ENABLE(documentation, AC_HELP_STRING([--enable-documentation], [build documentation]),, diff --git a/src/linux-user-chroot.c b/src/linux-user-chroot.c index 8b8700d..42bbae2 100644 --- a/src/linux-user-chroot.c +++ b/src/linux-user-chroot.c @@ -8,7 +8,7 @@ * distribution, allow privilege escalation. See the README for more * details. * - * Copyright 2011,2012 Colin Walters <walters@verbum.org> + * Copyright 2011,2012,2015 Colin Walters <walters@verbum.org> * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -43,12 +43,6 @@ #include <sys/syscall.h> #include <sys/wait.h> #include <sched.h> -#ifdef HAVE_LINUX_SECUREBITS_H -#include <linux/securebits.h> -#else -#define SECBIT_NOROOT (1 << 0) -#define SECBIT_NOROOT_LOCKED (1 << 1) -#endif #ifndef PR_SET_NO_NEW_PRIVS #define PR_SET_NO_NEW_PRIVS 38 @@ -319,16 +313,15 @@ main (int argc, * * http://lwn.net/Articles/504879/ * - * If that's not available, we fall back to using SECBIT_NOROOT. - * * Following the belt-and-suspenders model, we also make a - * MS_NOSUID bind mount below. + * MS_NOSUID bind mount below. I don't think this is strictly + * necessary, but at least we doubly ensure we're not going to + * be executing any setuid binaries from the host's /. It + * doesn't help if there are any other mount points with setuid + * binaries, but `PR_SET_NO_NEW_PRIVS` fixes that. */ - if (prctl (PR_SET_NO_NEW_PRIVS, 1) < 0 && errno != EINVAL) + if (prctl (PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0) fatal_errno ("prctl (PR_SET_NO_NEW_PRIVS)"); - else if (prctl (PR_SET_SECUREBITS, - SECBIT_NOROOT | SECBIT_NOROOT_LOCKED) < 0) - fatal_errno ("prctl (SECBIT_NOROOT)"); /* This is necessary to undo the damage "sandbox" creates on Fedora * by making / a shared mount instead of private. This isn't |