aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--src/jail.c9
-rw-r--r--src/pseccomp.c2
2 files changed, 10 insertions, 1 deletions
diff --git a/src/jail.c b/src/jail.c
index 5671499..20dee9a 100644
--- a/src/jail.c
+++ b/src/jail.c
@@ -450,6 +450,15 @@ static int jail_childfn(prisoner_process *ctx)
if (sethostname("openwrt", SIZEOF("openwrt")))
exit(EXIT_FAILURE);
+ /* TODO: map root user: unshare(CLONE_NEWUSER); */
+ if (setresgid(65534, 65534, 65534)) {
+ D2("setregid failed: %s", strerror(errno));
+ }
+ if (setresuid(65534, 65534, 65534)) {
+ D2("setreuid failed: %s", strerror(errno));
+ exit(EXIT_FAILURE);
+ }
+
printf("%s",
" _______ ________ __\n"
" | |.-----.-----.-----.| | | |.----.| |_\n"
diff --git a/src/pseccomp.c b/src/pseccomp.c
index 1aed9ce..3369940 100644
--- a/src/pseccomp.c
+++ b/src/pseccomp.c
@@ -118,7 +118,7 @@ static const int default_allowed_syscalls[] = {
SCMP_SYS(lstat), SCMP_SYS(lstat64), SCMP_SYS(sysinfo),
/* operations on user/group */
SCMP_SYS(setuid), SCMP_SYS(setuid32), SCMP_SYS(setgid), SCMP_SYS(setgid32),
- SCMP_SYS(setreuid), SCMP_SYS(setreuid32),
+ SCMP_SYS(setreuid), SCMP_SYS(setreuid32), SCMP_SYS(setregid), SCMP_SYS(setregid32),
SCMP_SYS(setresuid), SCMP_SYS(setresuid32), SCMP_SYS(setresgid), SCMP_SYS(setresgid32),
SCMP_SYS(getuid), SCMP_SYS(getuid32), SCMP_SYS(geteuid), SCMP_SYS(geteuid32),
SCMP_SYS(getgid), SCMP_SYS(getgid32), SCMP_SYS(getegid), SCMP_SYS(getegid32),
Powered by cgit, Themed by Ted Yin.