From e97d33d7b6a80daf4508dba7c69e96f7977ce436 Mon Sep 17 00:00:00 2001 From: Toni Uhlig Date: Wed, 16 May 2018 14:11:54 +0200 Subject: POTD skeleton #57. Signed-off-by: Toni Uhlig --- src/jail.c | 15 ++++++++++++--- src/utils.c | 49 ++++++++++++++++++++++++++++++++++++++++++------- src/utils.h | 4 +++- 3 files changed, 57 insertions(+), 11 deletions(-) diff --git a/src/jail.c b/src/jail.c index b083c5a..ff45bad 100644 --- a/src/jail.c +++ b/src/jail.c @@ -233,7 +233,7 @@ static int jail_childfn(prisoner_process *ctx) int s, master_fd; int unshare_flags = CLONE_NEWUTS|CLONE_NEWPID|CLONE_NEWIPC| CLONE_NEWNS|CLONE_NEWNET/*|CLONE_NEWUSER*/; - unsigned int ug_map[3] = { 0, 10000, 65535 }; + //unsigned int ug_map[3] = { 0, 10000, 65535 }; pid_t self_pid, child_pid; assert(ctx); @@ -247,11 +247,12 @@ static int jail_childfn(prisoner_process *ctx) if (!ctx->newroot) FATAL("New root set for pid %d", self_pid); + if (clearenv()) + FATAL("Clearing ENV for pid %d", self_pid); + D2("Unshare prisoner %d", self_pid); if (unshare(unshare_flags)) FATAL("Unshare prisoner %d", self_pid); - if (update_uid_map(getpid(), ug_map)) - FATAL("UID mapping for %d", getpid()); D2("Safe change root to: '%s'", ctx->newroot); if (safe_chroot(ctx->newroot)) @@ -308,6 +309,14 @@ static int jail_childfn(prisoner_process *ctx) case 0: if (mount_proc(path_proc)) exit(EXIT_FAILURE); +/* + if (update_setgroups_self(0)) + exit(EXIT_FAILURE); + if (update_guid_map(getpid(), ug_map, 0)) + exit(EXIT_FAILURE); + if (update_guid_map(getpid(), ug_map, 1)) + exit(EXIT_FAILURE); +*/ if (close_fds_except(0, 1, 2, -1)) exit(EXIT_FAILURE); if (execl(path_shell, path_shell, (char *) NULL)) diff --git a/src/utils.c b/src/utils.c index 69fcb0e..945f8a5 100644 --- a/src/utils.c +++ b/src/utils.c @@ -387,20 +387,55 @@ int create_device_files(const char *mount_path) return s; } -int update_uid_map(pid_t pid, unsigned int uid_map[3]) +int update_guid_map(pid_t pid, unsigned int map[3], int update_uidmap) { - int s; - const char *const path_pid = "/proc/%d/uid_map"; - const char *const path_self = "/proc/self/uid_map"; - char path[32]; + int s, fd; + ssize_t written; + const char *const path_pid = "/proc/%d/%s"; + const char *const path_self = "/proc/self/%s"; + char buf[64]; if (pid < 0) { - s = snprintf(path, sizeof path, "%s", path_self); + s = snprintf(buf, sizeof buf, path_self, + (update_uidmap ? "uid_map" : "gid_map")); } else { - s = snprintf(path, sizeof path, path_pid, pid); + s = snprintf(buf, sizeof buf, path_pid, pid, + (update_uidmap ? "uid_map" : "gid_map")); } if (s <= 0) return 1; + fd = open(buf, O_WRONLY); + if (fd < 0) + return 1; + + s = snprintf(buf, sizeof buf, "%u %u %u\n", map[0], map[1], map[2]); + written = write(fd, buf, s); + if (written <= 0) + return 1; + + return 0; +} + +int update_setgroups_self(int allow) +{ + int fd; + ssize_t written; + const char *const path_self = "/proc/self/setgroups"; + const char *const str_allow = "allow"; + const char *const str_deny = "deny"; + + fd = open(path_self, O_WRONLY); + if (fd < 0) + return 1; + + if (allow) { + written = write(fd, str_allow, sizeof str_allow); + } else { + written = write(fd, str_deny, sizeof str_deny); + } + if (written <= 0) + return 1; + return 0; } diff --git a/src/utils.h b/src/utils.h index 825f621..360cc3f 100644 --- a/src/utils.h +++ b/src/utils.h @@ -41,6 +41,8 @@ int create_device_file_checked(const char *mount_path, const char *device_file, int create_device_files(const char *mount_path); -int update_uid_map(pid_t pid, unsigned int uid_map[3]); +int update_guid_map(pid_t pid, unsigned int uid_map[3], int update_uidmap); + +int update_setgroups_self(int allow); #endif -- cgit v1.2.3