summaryrefslogtreecommitdiff
path: root/src/core/execute.c
diff options
context:
space:
mode:
authorDaniel Mack <github@zonque.org>2016-03-21 12:57:43 +0100
committerDaniel Mack <github@zonque.org>2016-03-21 12:57:43 +0100
commit68de79d6a42ac6da4268ac48b699a6cd553afc14 (patch)
treed0e94499e8fb96fcd72adbafc90f8a2c668142bd /src/core/execute.c
parent19180aadb562d43811b1c4f961f0e0b778c132ce (diff)
parent50f130c286c4a4cb87a94a0fc419a4462a98a7a1 (diff)
Merge pull request #2760 from ronnychevalier/rc/core_no_new_privileges_seccompv3
core: set NoNewPrivileges for seccomp if we don't have CAP_SYS_ADMIN
Diffstat (limited to 'src/core/execute.c')
-rw-r--r--src/core/execute.c16
1 files changed, 10 insertions, 6 deletions
diff --git a/src/core/execute.c b/src/core/execute.c
index 517c2fb45b..ac2ac39892 100644
--- a/src/core/execute.c
+++ b/src/core/execute.c
@@ -24,6 +24,7 @@
#include <poll.h>
#include <signal.h>
#include <string.h>
+#include <sys/capability.h>
#include <sys/personality.h>
#include <sys/prctl.h>
#include <sys/socket.h>
@@ -1824,6 +1825,11 @@ static int exec_child(
if (params->apply_permissions) {
+ bool use_address_families = context->address_families_whitelist ||
+ !set_isempty(context->address_families);
+ bool use_syscall_filter = context->syscall_whitelist ||
+ !set_isempty(context->syscall_filter) ||
+ !set_isempty(context->syscall_archs);
int secure_bits = context->secure_bits;
for (i = 0; i < _RLIMIT_MAX; i++) {
@@ -1890,15 +1896,15 @@ static int exec_child(
return -errno;
}
- if (context->no_new_privileges)
+ if (context->no_new_privileges ||
+ (!have_effective_cap(CAP_SYS_ADMIN) && (use_address_families || use_syscall_filter)))
if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0) {
*exit_status = EXIT_NO_NEW_PRIVILEGES;
return -errno;
}
#ifdef HAVE_SECCOMP
- if (context->address_families_whitelist ||
- !set_isempty(context->address_families)) {
+ if (use_address_families) {
r = apply_address_families(context);
if (r < 0) {
*exit_status = EXIT_ADDRESS_FAMILIES;
@@ -1906,9 +1912,7 @@ static int exec_child(
}
}
- if (context->syscall_whitelist ||
- !set_isempty(context->syscall_filter) ||
- !set_isempty(context->syscall_archs)) {
+ if (use_syscall_filter) {
r = apply_seccomp(context);
if (r < 0) {
*exit_status = EXIT_SECCOMP;