set PR_SET_SECUREBITS and PR_SET_NO_NEW_PRIVS

Signed-off-by: lns <matzeton@googlemail.com>
author: lns <matzeton@googlemail.com> 2018-08-02 15:34:10 +0200
committer: lns <matzeton@googlemail.com> 2018-08-02 15:34:30 +0200
commit: 7557d150d3848fb38623983b4df48574384cb208 (patch)
tree: 76992ea6420633b45da203f0f82106ac7d206c13
parent: 6659e12db0deb467e8efee5043844c5080547ba0 (diff)
1 files changed, 8 insertions, 1 deletions
diff --git a/src/jail.c b/src/jail.c
index 83dc96d..b307706 100644
--- a/src/jail.c
+++ b/src/jail.c
@@ -42,6 +42,7 @@
 #include <pty.h>
 #include <utmp.h>
 #include <limits.h>
+#include <linux/securebits.h>
 #include <sys/signalfd.h>
 #include <sys/wait.h>
 #include <sys/prctl.h>
@@ -308,7 +309,13 @@ static int jail_childfn(prisoner_process *ctx)
     self_pid = getpid();
     set_procname("[potd] jail-client");
     if (prctl(PR_SET_PDEATHSIG, SIGTERM) != 0)
-        FATAL("Jail child prctl for pid %d", self_pid);
+        FATAL("%s", "Jail child setting deathsig");
+    if (prctl(PR_SET_SECUREBITS,
+              SECBIT_NOROOT | SECBIT_NOROOT_LOCKED |
+              SECBIT_NO_CAP_AMBIENT_RAISE | SECBIT_NO_CAP_AMBIENT_RAISE_LOCKED))
+        FATAL("%s", "Jail child setting securebits");
+    if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0))
+        FATAL("%s", "Jail child setting no new privs");
 
     if (!ctx->newroot)
         FATAL("New root set for pid %d", self_pid);
author	lns <matzeton@googlemail.com>	2018-08-02 15:34:10 +0200
committer	lns <matzeton@googlemail.com>	2018-08-02 15:34:30 +0200
commit	7557d150d3848fb38623983b4df48574384cb208 (patch)
tree	76992ea6420633b45da203f0f82106ac7d206c13
parent	6659e12db0deb467e8efee5043844c5080547ba0 (diff)