commit: bdf41eb2ecb9a7a72e3024d088e63edff2ddc0e5
Author: Mike Frysinger <vapier <AT> gentoo <DOT> org>
AuthorDate: Mon Aug 17 22:18:39 2015 +0000
Commit: Mike Frysinger <vapier <AT> gentoo <DOT> org>
CommitDate: Thu Aug 20 14:38:38 2015 +0000
URL: https://gitweb.gentoo.org/proj/pax-utils.git/commit/?id=bdf41eb2
security: lock down privs a bit via prctl
Should prevent accidentally running set*id programs less of a problem.
porting.h | 4 ++++
security.c | 9 +++++++++
2 files changed, 13 insertions(+)
diff --git a/porting.h b/porting.h
index 9dea528..c93f0f8 100644
--- a/porting.h
+++ b/porting.h
@@ -42,6 +42,10 @@
#if !defined(__FreeBSD__) && !defined(__OpenBSD__)
# include <alloca.h>
#endif
+#if defined(__linux__)
+# include <sys/prctl.h>
+# include <linux/securebits.h>
+#endif
#if defined(__GLIBC__) || defined(__UCLIBC__)
# include <byteswap.h>
# include <endian.h>
diff --git a/security.c b/security.c
index 9b48a9a..3012212 100644
--- a/security.c
+++ b/security.c
@@ -69,6 +69,15 @@ void security_init(bool allow_forking)
if (!ALLOW_PIDNS)
allow_forking = true;
+ /* Drop all possible caps for us and our children. */
+ prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
+ prctl(PR_SET_SECUREBITS,
+ SECBIT_KEEP_CAPS_LOCKED |
+ SECBIT_NO_SETUID_FIXUP |
+ SECBIT_NO_SETUID_FIXUP_LOCKED |
+ SECBIT_NOROOT |
+ SECBIT_NOROOT_LOCKED, 0, 0, 0);
+
/* None of the pax tools need access to these features. */
flags = CLONE_NEWIPC | CLONE_NEWUTS;
/* Would be nice to leverage mount/net ns, but they're just way too
slow. */
