diff options
| author | Toni Uhlig <matzeton@googlemail.com> | 2020-06-27 04:33:44 +0200 |
|---|---|---|
| committer | Toni Uhlig <matzeton@googlemail.com> | 2020-06-27 04:33:44 +0200 |
| commit | 60fb08bea63d413715e94234b801db5f794e39db (patch) | |
| tree | 4fabf96b55e080ca6b9d6be222f9c0278c2574a4 | |
| parent | 266ee9e20c3591e5a25817bc63328eb75f338c28 (diff) | |
force non-zero via setuid/setgid
* added TODO for root user mapping (if someone logged in as root)
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
| -rw-r--r-- | src/jail.c | 9 | ||||
| -rw-r--r-- | src/pseccomp.c | 2 |
2 files changed, 10 insertions, 1 deletions
@@ -450,6 +450,15 @@ static int jail_childfn(prisoner_process *ctx) if (sethostname("openwrt", SIZEOF("openwrt"))) exit(EXIT_FAILURE); + /* TODO: map root user: unshare(CLONE_NEWUSER); */ + if (setresgid(65534, 65534, 65534)) { + D2("setregid failed: %s", strerror(errno)); + } + if (setresuid(65534, 65534, 65534)) { + D2("setreuid failed: %s", strerror(errno)); + exit(EXIT_FAILURE); + } + printf("%s", " _______ ________ __\n" " | |.-----.-----.-----.| | | |.----.| |_\n" diff --git a/src/pseccomp.c b/src/pseccomp.c index 1aed9ce..3369940 100644 --- a/src/pseccomp.c +++ b/src/pseccomp.c @@ -118,7 +118,7 @@ static const int default_allowed_syscalls[] = { SCMP_SYS(lstat), SCMP_SYS(lstat64), SCMP_SYS(sysinfo), /* operations on user/group */ SCMP_SYS(setuid), SCMP_SYS(setuid32), SCMP_SYS(setgid), SCMP_SYS(setgid32), - SCMP_SYS(setreuid), SCMP_SYS(setreuid32), + SCMP_SYS(setreuid), SCMP_SYS(setreuid32), SCMP_SYS(setregid), SCMP_SYS(setregid32), SCMP_SYS(setresuid), SCMP_SYS(setresuid32), SCMP_SYS(setresgid), SCMP_SYS(setresgid32), SCMP_SYS(getuid), SCMP_SYS(getuid32), SCMP_SYS(geteuid), SCMP_SYS(geteuid32), SCMP_SYS(getgid), SCMP_SYS(getgid32), SCMP_SYS(getegid), SCMP_SYS(getegid32), |