security/fortify
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 35 Wiki Activity

internal/prctl: rename prctl wrappers
All checks were successful
Test / Create distribution (push) Successful in 26s
Details
Test / Fortify (push) Successful in 2m39s
Details
Test / Data race detector (push) Successful in 3m29s
Details
Test / Fpkg (push) Successful in 3m34s
Details
Test / Flake checks (push) Successful in 51s
Details

Browse Source 
Signed-off-by: Ophestra <cat@gensokyo.uk>
This commit is contained in:
Ophestra 2025-03-07 22:56:35 +09:00
parent f7bd6a5a41
commit 9e15898c8f
Signed by: cat
SSH Key Fingerprint: SHA256:gQ67O0enBZ7UdZypgtspB2FDM1g3GVw8nX0XSdcFw8Q
5 changed files with 14 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
cmd/fpkg/main.go
View File

@ -40,7 +40,7 @@ func main() {
// early init argv0 check, skips root check and duplicate PR_SET_DUMPABLE // early init argv0 check, skips root check and duplicate PR_SET_DUMPABLE
init0.TryArgv0() init0.TryArgv0()
if err := internal.PR_SET_DUMPABLE__SUID_DUMP_DISABLE(); err != nil { if err := internal.SetDumpable(internal.SUID_DUMP_DISABLE); err != nil {
log.Printf("cannot set SUID_DUMP_DISABLE: %s", err) log.Printf("cannot set SUID_DUMP_DISABLE: %s", err)
// not fatal: this program runs as the privileged user // not fatal: this program runs as the privileged user
} }

4
internal/app/init/main.go
View File

@ -28,7 +28,7 @@ func Main() {
fmsg.Prepare("init") fmsg.Prepare("init")
// setting this prevents ptrace // setting this prevents ptrace
if err := internal.PR_SET_DUMPABLE__SUID_DUMP_DISABLE(); err != nil { if err := internal.SetDumpable(internal.SUID_DUMP_DISABLE); err != nil {
log.Fatalf("cannot set SUID_DUMP_DISABLE: %s", err) log.Fatalf("cannot set SUID_DUMP_DISABLE: %s", err)
} }
@ -64,7 +64,7 @@ func Main() {
} }
// die with parent // die with parent
if err := internal.PR_SET_PDEATHSIG__SIGKILL(); err != nil { if err := internal.SetPdeathsig(syscall.SIGKILL); err != nil {
log.Fatalf("prctl(PR_SET_PDEATHSIG, SIGKILL): %v", err) log.Fatalf("prctl(PR_SET_PDEATHSIG, SIGKILL): %v", err)
} }

2
internal/app/shim/main.go
View File

@ -29,7 +29,7 @@ func Main() {
fmsg.Prepare("shim") fmsg.Prepare("shim")
// setting this prevents ptrace // setting this prevents ptrace
if err := internal.PR_SET_DUMPABLE__SUID_DUMP_DISABLE(); err != nil { if err := internal.SetDumpable(internal.SUID_DUMP_DISABLE); err != nil {
log.Fatalf("cannot set SUID_DUMP_DISABLE: %s", err) log.Fatalf("cannot set SUID_DUMP_DISABLE: %s", err)
} }

13
internal/prctl.go
View File

@ -2,17 +2,22 @@ package internal
import "syscall" import "syscall"
func PR_SET_DUMPABLE__SUID_DUMP_DISABLE() error { const (
SUID_DUMP_DISABLE = iota
SUID_DUMP_USER
)
func SetDumpable(dumpable uintptr) error {
// linux/sched/coredump.h // linux/sched/coredump.h
if _, _, errno := syscall.RawSyscall(syscall.SYS_PRCTL, syscall.PR_SET_DUMPABLE, 0, 0); errno != 0 { if _, _, errno := syscall.RawSyscall(syscall.SYS_PRCTL, syscall.PR_SET_DUMPABLE, dumpable, 0); errno != 0 {
return errno return errno
} }
return nil return nil
} }
func PR_SET_PDEATHSIG__SIGKILL() error { func SetPdeathsig(sig syscall.Signal) error {
if _, _, errno := syscall.RawSyscall(syscall.SYS_PRCTL, syscall.PR_SET_PDEATHSIG, uintptr(syscall.SIGKILL), 0); errno != 0 { if _, _, errno := syscall.RawSyscall(syscall.SYS_PRCTL, syscall.PR_SET_PDEATHSIG, uintptr(sig), 0); errno != 0 {
return errno return errno
} }

2
main.go
View File

@ -44,7 +44,7 @@ func main() {
// early init argv0 check, skips root check and duplicate PR_SET_DUMPABLE // early init argv0 check, skips root check and duplicate PR_SET_DUMPABLE
init0.TryArgv0() init0.TryArgv0()
if err := internal.PR_SET_DUMPABLE__SUID_DUMP_DISABLE(); err != nil { if err := internal.SetDumpable(internal.SUID_DUMP_DISABLE); err != nil {
log.Printf("cannot set SUID_DUMP_DISABLE: %s", err) log.Printf("cannot set SUID_DUMP_DISABLE: %s", err)
// not fatal: this program runs as the privileged user // not fatal: this program runs as the privileged user
} }