container: ptrace protection via Yama LSM
Some checks failed
Test / Create distribution (push) Successful in 35s
Test / Sandbox (push) Successful in 43s
Test / Hakurei (push) Failing after 2m29s
Test / Hpkg (push) Successful in 3m32s
Test / Sandbox (race detector) (push) Successful in 4m21s
Test / Hakurei (race detector) (push) Successful in 5m3s
Test / Flake checks (push) Has been skipped
Some checks failed
Test / Create distribution (push) Successful in 35s
Test / Sandbox (push) Successful in 43s
Test / Hakurei (push) Failing after 2m29s
Test / Hpkg (push) Successful in 3m32s
Test / Sandbox (race detector) (push) Successful in 4m21s
Test / Hakurei (race detector) (push) Successful in 5m3s
Test / Flake checks (push) Has been skipped
This is only a nice to have feature as the init process has no additional privileges and the monitor process was never reachable anyway. Closes #4. Signed-off-by: Ophestra <cat@gensokyo.uk>
This commit is contained in:
parent
6947ff04e0
commit
3d004e2916
SSH Key Fingerprint:
SHA256:gQ67O0enBZ7UdZypgtspB2FDM1g3GVw8nX0XSdcFw8Q
@ -30,6 +30,11 @@ func main() {
|
|||||||
// early init path, skips root check and duplicate PR_SET_DUMPABLE
|
// early init path, skips root check and duplicate PR_SET_DUMPABLE
|
||||||
container.TryArgv0(hlog.Output{}, hlog.Prepare, internal.InstallOutput)
|
container.TryArgv0(hlog.Output{}, hlog.Prepare, internal.InstallOutput)
|
||||||
|
|
||||||
|
if err := container.SetPtracer(0); err != nil {
|
||||||
|
hlog.Verbosef("cannot enable ptrace protection via Yama LSM: %v", err)
|
||||||
|
// not fatal: this program runs as the privileged user
|
||||||
|
}
|
||||||
|
|
||||||
if err := container.SetDumpable(container.SUID_DUMP_DISABLE); err != nil {
|
if err := container.SetDumpable(container.SUID_DUMP_DISABLE); err != nil {
|
||||||
log.Printf("cannot set SUID_DUMP_DISABLE: %s", err)
|
log.Printf("cannot set SUID_DUMP_DISABLE: %s", err)
|
||||||
// not fatal: this program runs as the privileged user
|
// not fatal: this program runs as the privileged user
|
||||||
|
|||||||
@ -55,6 +55,11 @@ func Init(prepare func(prefix string), setVerbose func(verbose bool)) {
|
|||||||
log.Fatal("this process must run as pid 1")
|
log.Fatal("this process must run as pid 1")
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if err := SetPtracer(0); err != nil {
|
||||||
|
msg.Verbosef("cannot enable ptrace protection via Yama LSM: %v", err)
|
||||||
|
// not fatal: this program has no additional privileges at initial program start
|
||||||
|
}
|
||||||
|
|
||||||
var (
|
var (
|
||||||
params initParams
|
params initParams
|
||||||
closeSetup func() error
|
closeSetup func() error
|
||||||
|
|||||||
@ -9,6 +9,14 @@ const (
|
|||||||
SUID_DUMP_USER
|
SUID_DUMP_USER
|
||||||
)
|
)
|
||||||
|
|
||||||
|
func SetPtracer(pid uintptr) error {
|
||||||
|
_, _, errno := syscall.Syscall(syscall.SYS_PRCTL, syscall.PR_SET_PTRACER, pid, 0)
|
||||||
|
if errno == 0 {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
return errno
|
||||||
|
}
|
||||||
|
|
||||||
func SetDumpable(dumpable uintptr) error {
|
func SetDumpable(dumpable uintptr) error {
|
||||||
// linux/sched/coredump.h
|
// linux/sched/coredump.h
|
||||||
if _, _, errno := syscall.Syscall(syscall.SYS_PRCTL, syscall.PR_SET_DUMPABLE, dumpable, 0); errno != 0 {
|
if _, _, errno := syscall.Syscall(syscall.SYS_PRCTL, syscall.PR_SET_DUMPABLE, dumpable, 0); errno != 0 {
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user