diff options
author | Mike Frysinger <vapier@gentoo.org> | 2015-08-17 18:18:39 -0400 |
---|---|---|
committer | Mike Frysinger <vapier@gentoo.org> | 2015-08-20 10:38:38 -0400 |
commit | bdf41eb2ecb9a7a72e3024d088e63edff2ddc0e5 (patch) | |
tree | 7c8cf990bf4eb2527facb723aec806598f659e35 | |
parent | security: leverage namespaces to restrict the runtime a bit (diff) | |
download | pax-utils-bdf41eb2ecb9a7a72e3024d088e63edff2ddc0e5.tar.gz pax-utils-bdf41eb2ecb9a7a72e3024d088e63edff2ddc0e5.tar.bz2 pax-utils-bdf41eb2ecb9a7a72e3024d088e63edff2ddc0e5.zip |
security: lock down privs a bit via prctl
Should prevent accidentally running set*id programs less of a problem.
-rw-r--r-- | porting.h | 4 | ||||
-rw-r--r-- | security.c | 9 |
2 files changed, 13 insertions, 0 deletions
@@ -42,6 +42,10 @@ #if !defined(__FreeBSD__) && !defined(__OpenBSD__) # include <alloca.h> #endif +#if defined(__linux__) +# include <sys/prctl.h> +# include <linux/securebits.h> +#endif #if defined(__GLIBC__) || defined(__UCLIBC__) # include <byteswap.h> # include <endian.h> @@ -69,6 +69,15 @@ void security_init(bool allow_forking) if (!ALLOW_PIDNS) allow_forking = true; + /* Drop all possible caps for us and our children. */ + prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); + prctl(PR_SET_SECUREBITS, + SECBIT_KEEP_CAPS_LOCKED | + SECBIT_NO_SETUID_FIXUP | + SECBIT_NO_SETUID_FIXUP_LOCKED | + SECBIT_NOROOT | + SECBIT_NOROOT_LOCKED, 0, 0, 0); + /* None of the pax tools need access to these features. */ flags = CLONE_NEWIPC | CLONE_NEWUTS; /* Would be nice to leverage mount/net ns, but they're just way too slow. */ |