From patchwork Mon Nov 30 23:09:24 2015
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Etienne Champetier <champetier.etienne@gmail.com>
X-Patchwork-Id: 550554
Return-Path: <openwrt-devel-bounces@lists.openwrt.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from arrakis.dune.hu (arrakis.dune.hu [78.24.191.176])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 52D3E14016A
	for <incoming@patchwork.ozlabs.org>;
	Tue,  1 Dec 2015 10:14:52 +1100 (AEDT)
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
	unprotected) header.d=gmail.com header.i=@gmail.com header.b=WeCgQscb;
	dkim-atps=neutral
Received: from arrakis.dune.hu (localhost [127.0.0.1])
	by arrakis.dune.hu (Postfix) with ESMTP id EB95A284924;
	Tue,  1 Dec 2015 00:11:01 +0100 (CET)
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on arrakis.dune.hu
X-Spam-Level: 
X-Spam-Status: No, score=-1.5 required=5.0 tests=BAYES_00,FREEMAIL_FROM,
	T_DKIM_INVALID autolearn=unavailable version=3.3.2
Received: from arrakis.dune.hu (localhost [127.0.0.1])
	by arrakis.dune.hu (Postfix) with ESMTP id 356D728C725
	for <openwrt-devel@lists.openwrt.org>;
	Tue,  1 Dec 2015 00:09:48 +0100 (CET)
X-policyd-weight: using cached result; rate: -8.5
Received: from mail-wm0-f53.google.com (mail-wm0-f53.google.com
	[74.125.82.53]) by arrakis.dune.hu (Postfix) with ESMTPS
	for <openwrt-devel@lists.openwrt.org>;
	Tue,  1 Dec 2015 00:09:39 +0100 (CET)
Received: by wmec201 with SMTP id c201so160100150wme.1
	for <openwrt-devel@lists.openwrt.org>;
	Mon, 30 Nov 2015 15:09:42 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
	h=from:to:cc:subject:date:message-id:in-reply-to:references;
	bh=6ZUjuUSeIIQz0lJTliH6Ru6URQzS0X3GkKzJyBu0Nfg=;
	b=WeCgQscb8XOANobgYpH6YcrQk1qIGUOPt6K5Yp3+Od0bqR6G8hZDBmlrR74+p9ZfFw
	3FapfujVZcgWXzdSiCh0OKf0H3lZFfSTMkBoO744uDbgpWG3b7mCi0yCvPKj+F+o1QBd
	Upj0M5Q1vQfgDkmP0MS26IHEpzOI6M0zDkXVllhvu4HlJerTQWqorKu6xHZduax/EGBF
	HU7q/+DyoWGxqzr9eAiWVPBBodKuYp+4bhl/+H9WgqbBEUeniPscpu9pTH+hPj8BA8Xp
	WO27iEmSACxuJglqxhLrDbur4lJR9C1yaz7DGCBIjhhF9N74mR56A2TW5o5BDXInb+VL
	7NFQ==
X-Received: by 10.194.105.38 with SMTP id gj6mr88699667wjb.130.1448924982859;
	Mon, 30 Nov 2015 15:09:42 -0800 (PST)
Received: from ubuntu1404.lxcnattst (ns623510.ovh.net. [5.135.134.9])
	by smtp.gmail.com with ESMTPSA id
	pn6sm48769372wjb.15.2015.11.30.15.09.41
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
	Mon, 30 Nov 2015 15:09:41 -0800 (PST)
From: Etienne CHAMPETIER <champetier.etienne@gmail.com>
To: OpenWrt Development List <openwrt-devel@lists.openwrt.org>
Date: Mon, 30 Nov 2015 23:09:24 +0000
Message-Id: <1448924967-63976-7-git-send-email-champetier.etienne@gmail.com>
X-Mailer: git-send-email 1.9.1
In-Reply-To: <1448924967-63976-1-git-send-email-champetier.etienne@gmail.com>
References: <1448924967-63976-1-git-send-email-champetier.etienne@gmail.com>
Subject: [OpenWrt-Devel] [PATCH procd 6/9] ujail: add no_new_privs (-c)
	option
X-BeenThere: openwrt-devel@lists.openwrt.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OpenWrt Development List <openwrt-devel.lists.openwrt.org>
List-Unsubscribe: 
 <https://lists.openwrt.org/cgi-bin/mailman/options/openwrt-devel>,
	<mailto:openwrt-devel-request@lists.openwrt.org?subject=unsubscribe>
List-Archive: <http://lists.openwrt.org/pipermail/openwrt-devel/>
List-Post: <mailto:openwrt-devel@lists.openwrt.org>
List-Help: <mailto:openwrt-devel-request@lists.openwrt.org?subject=help>
List-Subscribe: 
 <https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel>,
	<mailto:openwrt-devel-request@lists.openwrt.org?subject=subscribe>
MIME-Version: 1.0
Errors-To: openwrt-devel-bounces@lists.openwrt.org
Sender: "openwrt-devel" <openwrt-devel-bounces@lists.openwrt.org>

set PR_SET_NO_NEW_PRIVS to 1

Signed-off-by: Etienne CHAMPETIER <champetier.etienne@gmail.com>
---
 jail/jail.c | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/jail/jail.c b/jail/jail.c
index 25ad4d7..97ddaab 100644
--- a/jail/jail.c
+++ b/jail/jail.c
@@ -35,13 +35,14 @@
 #include <libubox/uloop.h>
 
 #define STACK_SIZE	(1024 * 1024)
-#define OPT_ARGS	"S:C:n:r:w:d:psulo"
+#define OPT_ARGS	"S:C:n:r:w:d:psuloc"
 
 static struct {
 	char *name;
 	char **jail_argv;
 	char *seccomp;
 	char *capabilities;
+	int no_new_privs;
 	int namespace;
 	int procfs;
 	int ronly;
@@ -212,6 +213,7 @@ static void usage(void)
 	fprintf(stderr, "  -d <num>\tshow debug log (increase num to increase verbosity)\n");
 	fprintf(stderr, "  -S <file>\tseccomp filter config\n");
 	fprintf(stderr, "  -C <file>\tcapabilities drop config\n");
+	fprintf(stderr, "  -c\t\tset PR_SET_NO_NEW_PRIVS\n");
 	fprintf(stderr, "  -n <name>\tthe name of the jail\n");
 	fprintf(stderr, "namespace jail options:\n");
 	fprintf(stderr, "  -r <file>\treadonly files that should be staged\n");
@@ -239,6 +241,11 @@ static int exec_jail(void)
 	if (opts.capabilities && drop_capabilities(opts.capabilities))
 		exit(EXIT_FAILURE);
 
+	if (opts.no_new_privs && prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
+                ERROR("prctl(PR_SET_NO_NEW_PRIVS) failed: %s\n", strerror(errno));
+		exit(EXIT_FAILURE);
+	}
+
 	INFO("exec-ing %s\n", *opts.jail_argv);
 	execve(*opts.jail_argv, opts.jail_argv, envp);
 	/* we get there only if execve fails */
@@ -321,6 +328,9 @@ int main(int argc, char **argv)
 			opts.capabilities = optarg;
 			add_mount(optarg, 1, -1);
 			break;
+		case 'c':
+			opts.no_new_privs = 1;
+			break;
 		case 'n':
 			opts.name = optarg;
 			break;