set SECBIT_KEEP_CAPS

That's the one we actually want instead of PR_SET_KEEPCAPS Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
2019-07-15 09:05:58 +02:00 · 2019-07-15 09:05:58 +02:00 · 738dbfbe69
commit 738dbfbe69
parent 7ca1a14c8c
5 changed files with 51 additions and 0 deletions
--- a/Cargo.toml
+++ b/Cargo.toml
@ -7,6 +7,7 @@ authors = [
 ]

 [dependencies]
+bitflags = "1.1"
 errno = "0.2"
 failure = "0.1"
 lazy_static = "1.3"
--- a/src/capability.rs
+++ b/src/capability.rs
@ -0,0 +1,33 @@
+use std::io;
+use std::os::raw::c_ulong;
+
+use crate::{c_call, io_format_err};
+
+bitflags::bitflags! {
+    pub struct SecureBits: c_ulong {
+        const NOROOT                        = 0b000000001;
+        const NOROOT_LOCKED                 = 0b000000010;
+        const NO_SETUID_FIXUP               = 0b000000100;
+        const NO_SETUID_FIXUP_LOCKED        = 0b000001000;
+        const KEEP_CAPS                     = 0b000010000;
+        const KEEP_CAPS_LOCKED              = 0b000100000;
+        const NO_CAP_AMBIENT_RAISE          = 0b001000000;
+        const NO_CAP_AMBIENT_RAISE_LOCKED   = 0b010000000;
+
+        const ALL_BITS                      = 0b001010101;
+        const ALL_LOCKS                     = 0b010101010;
+    }
+}
+
+impl SecureBits {
+    pub fn apply(&self) -> io::Result<()> {
+        c_call!(unsafe { libc::prctl(libc::PR_SET_SECUREBITS, self.bits()) })?;
+        Ok(())
+    }
+
+    pub fn get_current() -> io::Result<Self> {
+        let bits = c_call!(unsafe { libc::prctl(libc::PR_GET_SECUREBITS) })?;
+        Self::from_bits(bits as _)
+            .ok_or_else(|| io_format_err!("prctl() returned unknown securebits"))
+    }
+}
--- a/src/main.rs
+++ b/src/main.rs
@ -6,6 +6,7 @@ use failure::{bail, format_err, Error};
 use nix::sys::socket::SockAddr;

 pub mod apparmor;
+pub mod capability;
 pub mod client;
 pub mod fork;
 pub mod lxcseccomp;
--- a/src/pidfd.rs
+++ b/src/pidfd.rs
@ -445,10 +445,12 @@ impl UserCaps<'_> {
    }

    fn apply_user_caps(&self) -> io::Result<()> {
+        use crate::capability::SecureBits;
        unsafe {
            libc::umask(self.umask);
        }
        Capabilities::set_keep_caps(true)?;
+        (SecureBits::get_current()? | SecureBits::KEEP_CAPS).apply()?;
        c_try!(unsafe { libc::setegid(self.egid) });
        c_try!(unsafe { libc::setfsgid(self.fsgid) });
        c_try!(unsafe { libc::seteuid(self.euid) });
--- a/src/tools.rs
+++ b/src/tools.rs
@ -312,3 +312,17 @@ impl<T: FromRawFd> FromFd for T {
        unsafe { Self::from_raw_fd(fd.into_raw_fd()) }
    }
 }
+
+#[macro_export]
+macro_rules! io_format_err {
+    ($($msg:tt)*) => {
+        ::std::io::Error::new(::std::io::ErrorKind::Other, format!($($msg)*))
+    };
+}
+
+#[macro_export]
+macro_rules! io_bail {
+    ($($msg:tt)*) => {
+        return Err(::std::io::Error::new(::std::io::ErrorKind::Other, format!($($msg)*)));
+    };
+}