From patchwork Mon Nov 30 23:09:25 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Etienne Champetier X-Patchwork-Id: 550556 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from arrakis.dune.hu (arrakis.dune.hu [78.24.191.176]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id DD4E014016A for ; Tue, 1 Dec 2015 10:16:16 +1100 (AEDT) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b=ENqsrPSa; dkim-atps=neutral Received: from arrakis.dune.hu (localhost [127.0.0.1]) by arrakis.dune.hu (Postfix) with ESMTP id BB6F428C766; Tue, 1 Dec 2015 00:11:08 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on arrakis.dune.hu X-Spam-Level: X-Spam-Status: No, score=-1.5 required=5.0 tests=BAYES_00,FREEMAIL_FROM, T_DKIM_INVALID autolearn=unavailable version=3.3.2 Received: from arrakis.dune.hu (localhost [127.0.0.1]) by arrakis.dune.hu (Postfix) with ESMTP id 5C56428BDBF for ; Tue, 1 Dec 2015 00:09:50 +0100 (CET) X-policyd-weight: using cached result; rate:hard: -8.5 Received: from mail-wm0-f53.google.com (mail-wm0-f53.google.com [74.125.82.53]) by arrakis.dune.hu (Postfix) with ESMTPS for ; Tue, 1 Dec 2015 00:09:40 +0100 (CET) Received: by wmvv187 with SMTP id v187so180931534wmv.1 for ; Mon, 30 Nov 2015 15:09:43 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=AohoFH/X+TCmnk9A93lEUHOhnAF6qv79Yi2P8eHcmq0=; b=ENqsrPSalern2FKoSk4UDqOMJvAfLWDiEBMOIgykzhCwXstg5DeiH2Mr7ixtXKQKRz EZHETnnQ16DQrf1yQMkl8waalOHvkrnsVdiv6KqiAwyoYUoOvHzPJQl0oB+CAL3t4n8t k7OfMBXY/FbYK+pKAvZMkeLHzHJFr9TmfqRPv0Ved4owiwJwatuN5lo3pNQA7FtgeQcQ +du86ZEtQnkEqd2nEIXEDUXzfDQyQ7rbTFj9Q6woeDrtf614cw1v26HcsgempawkNPhn 4n3xRD+fL52NZXVTE1BADCQXwEypFSzcZtVAIzgoW/Il5ELPqtMeJm+lzatTGkMhgHPZ CxEg== X-Received: by 10.28.91.9 with SMTP id p9mr29646504wmb.18.1448924983842; Mon, 30 Nov 2015 15:09:43 -0800 (PST) Received: from ubuntu1404.lxcnattst (ns623510.ovh.net. [5.135.134.9]) by smtp.gmail.com with ESMTPSA id pn6sm48769372wjb.15.2015.11.30.15.09.42 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Mon, 30 Nov 2015 15:09:42 -0800 (PST) From: Etienne CHAMPETIER To: OpenWrt Development List Date: Mon, 30 Nov 2015 23:09:25 +0000 Message-Id: <1448924967-63976-8-git-send-email-champetier.etienne@gmail.com> X-Mailer: git-send-email 1.9.1 In-Reply-To: <1448924967-63976-1-git-send-email-champetier.etienne@gmail.com> References: <1448924967-63976-1-git-send-email-champetier.etienne@gmail.com> Subject: [OpenWrt-Devel] [PATCH procd 7/9] instance, ujail: wire no_new_privs (-c) option X-BeenThere: openwrt-devel@lists.openwrt.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OpenWrt Development List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openwrt-devel-bounces@lists.openwrt.org Sender: "openwrt-devel" Signed-off-by: Etienne CHAMPETIER --- service/instance.c | 11 +++++++++++ service/instance.h | 1 + 2 files changed, 12 insertions(+) diff --git a/service/instance.c b/service/instance.c index 586c0ee..ad0d284 100644 --- a/service/instance.c +++ b/service/instance.c @@ -49,6 +49,7 @@ enum { INSTANCE_ATTR_USER, INSTANCE_ATTR_STDOUT, INSTANCE_ATTR_STDERR, + INSTANCE_ATTR_NO_NEW_PRIVS, INSTANCE_ATTR_JAIL, INSTANCE_ATTR_TRACE, INSTANCE_ATTR_SECCOMP, @@ -71,6 +72,7 @@ static const struct blobmsg_policy instance_attr[__INSTANCE_ATTR_MAX] = { [INSTANCE_ATTR_USER] = { "user", BLOBMSG_TYPE_STRING }, [INSTANCE_ATTR_STDOUT] = { "stdout", BLOBMSG_TYPE_BOOL }, [INSTANCE_ATTR_STDERR] = { "stderr", BLOBMSG_TYPE_BOOL }, + [INSTANCE_ATTR_NO_NEW_PRIVS] = { "no_new_privs", BLOBMSG_TYPE_BOOL }, [INSTANCE_ATTR_JAIL] = { "jail", BLOBMSG_TYPE_TABLE }, [INSTANCE_ATTR_TRACE] = { "trace", BLOBMSG_TYPE_BOOL }, [INSTANCE_ATTR_SECCOMP] = { "seccomp", BLOBMSG_TYPE_STRING }, @@ -195,6 +197,9 @@ jail_run(struct service_instance *in, char **argv) argv[argc++] = in->capabilities; } + if (in->no_new_privs) + argv[argc++] = "-c"; + if (jail->procfs) argv[argc++] = "-p"; @@ -762,6 +767,9 @@ instance_config_parse(struct service_instance *in) if (tb[INSTANCE_ATTR_TRACE]) in->trace = blobmsg_get_bool(tb[INSTANCE_ATTR_TRACE]); + if (tb[INSTANCE_ATTR_NO_NEW_PRIVS]) + in->no_new_privs = blobmsg_get_bool(tb[INSTANCE_ATTR_NO_NEW_PRIVS]); + if (!in->trace && tb[INSTANCE_ATTR_SECCOMP]) { char *seccomp = blobmsg_get_string(tb[INSTANCE_ATTR_SECCOMP]); struct stat s; @@ -960,6 +968,9 @@ void instance_dump(struct blob_buf *b, struct service_instance *in, int verbose) if (in->trace) blobmsg_add_u8(b, "trace", true); + if (in->no_new_privs) + blobmsg_add_u8(b, "no_new_privs", true); + if (in->seccomp) blobmsg_add_string(b, "seccomp", in->seccomp); diff --git a/service/instance.h b/service/instance.h index 80268af..0af9680 100644 --- a/service/instance.h +++ b/service/instance.h @@ -52,6 +52,7 @@ struct service_instance { bool trace; bool has_jail; + bool no_new_privs; struct jail jail; char *seccomp; char *capabilities;