diff --git a/container/container.go b/container/container.go index 8f90235..52691ce 100644 --- a/container/container.go +++ b/container/container.go @@ -179,6 +179,12 @@ func (p *Container) Start() error { p.wait = make(chan struct{}) done <- func() error { // setup depending on per-thread state must happen here + // PR_SET_NO_NEW_PRIVS: depends on per-thread state but acts on all processes created from that thread + if err := SetNoNewPrivs(); err != nil { + return wrapErrSuffix(err, + "prctl(PR_SET_NO_NEW_PRIVS):") + } + msg.Verbose("starting container init") if err := p.cmd.Start(); err != nil { return msg.WrapErr(err, err.Error()) diff --git a/container/init.go b/container/init.go index f162de2..885b543 100644 --- a/container/init.go +++ b/container/init.go @@ -218,10 +218,6 @@ func Init(prepare func(prefix string), setVerbose func(verbose bool)) { } } - if _, _, errno := Syscall(SYS_PRCTL, PR_SET_NO_NEW_PRIVS, 1, 0); errno != 0 { - log.Fatalf("prctl(PR_SET_NO_NEW_PRIVS): %v", errno) - } - if _, _, errno := Syscall(SYS_PRCTL, PR_CAP_AMBIENT, PR_CAP_AMBIENT_CLEAR_ALL, 0); errno != 0 { log.Fatalf("cannot clear the ambient capability set: %v", errno) } @@ -256,6 +252,7 @@ func Init(prepare func(prefix string), setVerbose func(verbose bool)) { rules = seccomp.Preset(params.SeccompPresets, params.SeccompFlags) } if err := seccomp.Load(rules, params.SeccompFlags); err != nil { + // this also indirectly asserts PR_SET_NO_NEW_PRIVS log.Fatalf("cannot load syscall filter: %v", err) } msg.Verbosef("%d filter rules loaded", len(rules)) diff --git a/container/syscall.go b/container/syscall.go index 075da89..62b85c5 100644 --- a/container/syscall.go +++ b/container/syscall.go @@ -18,6 +18,14 @@ func SetDumpable(dumpable uintptr) error { return nil } +func SetNoNewPrivs() error { + _, _, errno := syscall.Syscall(syscall.SYS_PRCTL, PR_SET_NO_NEW_PRIVS, 1, 0) + if errno == 0 { + return nil + } + return errno +} + // IgnoringEINTR makes a function call and repeats it if it returns an // EINTR error. This appears to be required even though we install all // signal handlers with SA_RESTART: see #22838, #38033, #38836, #40846.