sandbox/init: clear inheritable set
Inheritable should not be able to affect anything regardless of its value, due to no_new_privs. Signed-off-by: Ophestra <cat@gensokyo.uk>
This commit is contained in:
parent
18644d90be
commit
d613257841
@ -217,7 +217,7 @@ func Init(prepare func(prefix string), setVerbose func(verbose bool)) {
|
||||
}
|
||||
|
||||
/*
|
||||
load seccomp filter
|
||||
caps/securebits and seccomp filter
|
||||
*/
|
||||
|
||||
if _, _, errno := syscall.Syscall(PR_SET_NO_NEW_PRIVS, 1, 0, 0); errno != 0 {
|
||||
@ -228,9 +228,16 @@ func Init(prepare func(prefix string), setVerbose func(verbose bool)) {
|
||||
}
|
||||
for i := uintptr(0); i <= LastCap(); i++ {
|
||||
if _, _, errno := syscall.Syscall(syscall.SYS_PRCTL, syscall.PR_CAPBSET_DROP, i, 0); errno != 0 {
|
||||
log.Fatalf("cannot drop capability: %v", errno)
|
||||
log.Fatalf("cannot drop capability from bonding set: %v", errno)
|
||||
}
|
||||
}
|
||||
if err := capset(
|
||||
&capHeader{_LINUX_CAPABILITY_VERSION_3, 0},
|
||||
&[2]capData{{0, 0, 0}, {0, 0, 0}},
|
||||
); err != nil {
|
||||
log.Fatalf("cannot capset: %v", err)
|
||||
}
|
||||
|
||||
if err := seccomp.Load(params.Flags.seccomp(params.Seccomp)); err != nil {
|
||||
log.Fatalf("cannot load syscall filter: %v", err)
|
||||
}
|
||||
|
@ -100,9 +100,11 @@ print(denyOutputVerbose)
|
||||
print(machine.fail("sudo -u alice -i fsu"))
|
||||
|
||||
# Verify capabilities/securebits in user namespace:
|
||||
print(machine.succeed("sudo -u alice -i fortify run capsh --print"))
|
||||
print(machine.succeed("sudo -u alice -i fortify run capsh --has-no-new-privs"))
|
||||
print(machine.fail("sudo -u alice -i fortify run capsh --has-a=CAP_SYS_ADMIN"))
|
||||
print(machine.fail("sudo -u alice -i fortify run capsh --has-b=CAP_SYS_ADMIN"))
|
||||
print(machine.fail("sudo -u alice -i fortify run capsh --has-i=CAP_SYS_ADMIN"))
|
||||
print(machine.fail("sudo -u alice -i fortify run capsh --has-p=CAP_SYS_ADMIN"))
|
||||
print(machine.fail("sudo -u alice -i fortify run umount -R /dev"))
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user