diff options
| author | Toni Uhlig <matzeton@googlemail.com> | 2018-05-20 02:26:20 +0200 |
|---|---|---|
| committer | Toni Uhlig <matzeton@googlemail.com> | 2018-05-20 02:26:20 +0200 |
| commit | 9b9825fa6a33a4f9703905100a88190aaf030607 (patch) | |
| tree | 1dbb712b543320748e29afb8fd751e67fbfe9ed6 /src/jail.c | |
| parent | 84d818f280f3a398fc91ca82699bc380d37d99cf (diff) | |
POTD skeleton #63.
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
Diffstat (limited to 'src/jail.c')
| -rw-r--r-- | src/jail.c | 18 |
1 files changed, 13 insertions, 5 deletions
@@ -10,6 +10,7 @@ #include "jail.h" #include "socket.h" +#include "pseccomp.h" #include "capabilities.h" #include "utils.h" #include "log.h" @@ -241,9 +242,11 @@ static int jail_childfn(prisoner_process *ctx) CLONE_NEWNS|CLONE_NEWNET/*|CLONE_NEWUSER*/; //unsigned int ug_map[3] = { 0, 10000, 65535 }; pid_t self_pid, child_pid; + pseccomp_ctx *psc = NULL; assert(ctx); self_pid = getpid(); + set_procname("[potd] jail-client"); if (set_child_sighandler()) FATAL("Set sighandler for pid %d", self_pid); if (setpgrp()) @@ -257,7 +260,7 @@ static int jail_childfn(prisoner_process *ctx) FATAL("Clearing ENV for pid %d", self_pid); caps_drop_dac_override(0); - caps_drop_all(); + //caps_drop_all(); D2("Unshare prisoner %d", self_pid); if (unshare(unshare_flags)) @@ -300,11 +303,9 @@ static int jail_childfn(prisoner_process *ctx) FATAL("Create directory '%s'", path_proc); D2("Creating device files in '%s%s'", ctx->newroot, path_dev); - if (create_device_files(path_dev)) { - E2("Device file creation failed for rootfs '%s%s'", + if (create_device_files(path_dev)) + FATAL("Device file creation failed for rootfs '%s%s'", ctx->newroot, path_dev); - exit(EXIT_FAILURE); - } D2("Forking a new pty process for " "parent %d", self_pid); @@ -348,6 +349,13 @@ static int jail_childfn(prisoner_process *ctx) " -----------------------------------------------------\n" ); + pseccomp_set_immutable(); + pseccomp_init(&psc); + if (pseccomp_jail_rules(psc)) + FATAL("%s", "SECCOMP: adding jail rules"); + pseccomp_free(&psc); + + sethostname("openwrt", SIZEOF("openwrt")); if (execl(path_shell, path_shell, (char *) NULL)) exit(EXIT_FAILURE); default: |