Commit 123f234a authored by Colin Walters's avatar Colin Walters

Drop use of SECBIT_NOROOT, hard require PR_SET_NO_NEW_PRIVS

So sadly, I screwed up the invocation of `prctl(PR_SET_NO_NEW_PRIVS` -
we need to provide 0 for the remaining arguments, otherwise the
kernel will *always* give us `-EINVAL`.

I didn't notice this at the time because I wanted to support the RHEL6
kernel.  Anyways, I no longer care about RHEL6 myself, and I'm going
to declare no one else should either =)
parent 233a5274
......@@ -24,10 +24,6 @@ AC_SUBST(WARN_CFLAGS)
LT_PREREQ([2.2.4])
LT_INIT([disable-static])
AC_CHECK_HEADER([linux/securebits.h],
[AC_DEFINE([HAVE_LINUX_SECUREBITS_H], [1],
[Define to 1 if we have securebits.h])])
AC_ARG_ENABLE(documentation,
AC_HELP_STRING([--enable-documentation],
[build documentation]),,
......
......@@ -8,7 +8,7 @@
* distribution, allow privilege escalation. See the README for more
* details.
*
* Copyright 2011,2012 Colin Walters <walters@verbum.org>
* Copyright 2011,2012,2015 Colin Walters <walters@verbum.org>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
......@@ -43,12 +43,6 @@
#include <sys/syscall.h>
#include <sys/wait.h>
#include <sched.h>
#ifdef HAVE_LINUX_SECUREBITS_H
#include <linux/securebits.h>
#else
#define SECBIT_NOROOT (1 << 0)
#define SECBIT_NOROOT_LOCKED (1 << 1)
#endif
#ifndef PR_SET_NO_NEW_PRIVS
#define PR_SET_NO_NEW_PRIVS 38
......@@ -319,16 +313,15 @@ main (int argc,
*
* http://lwn.net/Articles/504879/
*
* If that's not available, we fall back to using SECBIT_NOROOT.
*
* Following the belt-and-suspenders model, we also make a
* MS_NOSUID bind mount below.
* MS_NOSUID bind mount below. I don't think this is strictly
* necessary, but at least we doubly ensure we're not going to
* be executing any setuid binaries from the host's /. It
* doesn't help if there are any other mount points with setuid
* binaries, but `PR_SET_NO_NEW_PRIVS` fixes that.
*/
if (prctl (PR_SET_NO_NEW_PRIVS, 1) < 0 && errno != EINVAL)
if (prctl (PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0)
fatal_errno ("prctl (PR_SET_NO_NEW_PRIVS)");
else if (prctl (PR_SET_SECUREBITS,
SECBIT_NOROOT | SECBIT_NOROOT_LOCKED) < 0)
fatal_errno ("prctl (SECBIT_NOROOT)");
/* This is necessary to undo the damage "sandbox" creates on Fedora
* by making / a shared mount instead of private. This isn't
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment