From 60fb08bea63d413715e94234b801db5f794e39db Mon Sep 17 00:00:00 2001 From: Toni Uhlig Date: Sat, 27 Jun 2020 04:33:44 +0200 Subject: force non-zero via setuid/setgid * added TODO for root user mapping (if someone logged in as root) Signed-off-by: Toni Uhlig --- src/jail.c | 9 +++++++++ src/pseccomp.c | 2 +- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/src/jail.c b/src/jail.c index 5671499..20dee9a 100644 --- a/src/jail.c +++ b/src/jail.c @@ -450,6 +450,15 @@ static int jail_childfn(prisoner_process *ctx) if (sethostname("openwrt", SIZEOF("openwrt"))) exit(EXIT_FAILURE); + /* TODO: map root user: unshare(CLONE_NEWUSER); */ + if (setresgid(65534, 65534, 65534)) { + D2("setregid failed: %s", strerror(errno)); + } + if (setresuid(65534, 65534, 65534)) { + D2("setreuid failed: %s", strerror(errno)); + exit(EXIT_FAILURE); + } + printf("%s", " _______ ________ __\n" " | |.-----.-----.-----.| | | |.----.| |_\n" diff --git a/src/pseccomp.c b/src/pseccomp.c index 1aed9ce..3369940 100644 --- a/src/pseccomp.c +++ b/src/pseccomp.c @@ -118,7 +118,7 @@ static const int default_allowed_syscalls[] = { SCMP_SYS(lstat), SCMP_SYS(lstat64), SCMP_SYS(sysinfo), /* operations on user/group */ SCMP_SYS(setuid), SCMP_SYS(setuid32), SCMP_SYS(setgid), SCMP_SYS(setgid32), - SCMP_SYS(setreuid), SCMP_SYS(setreuid32), + SCMP_SYS(setreuid), SCMP_SYS(setreuid32), SCMP_SYS(setregid), SCMP_SYS(setregid32), SCMP_SYS(setresuid), SCMP_SYS(setresuid32), SCMP_SYS(setresgid), SCMP_SYS(setresgid32), SCMP_SYS(getuid), SCMP_SYS(getuid32), SCMP_SYS(geteuid), SCMP_SYS(geteuid32), SCMP_SYS(getgid), SCMP_SYS(getgid32), SCMP_SYS(getegid), SCMP_SYS(getegid32), -- cgit v1.2.3