pasta: Set ping_group_range upon namespace creation

...this allows processes running as the only group available in the
namespace to create ICMP Echo sockets.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
This commit is contained in:
Stefano Brivio 2021-09-09 15:06:49 +02:00
parent 9d19f5bc73
commit 089dec90ca

View file

@ -216,6 +216,10 @@ static void pasta_start_ns(struct ctx *c)
write(fd, buf, strlen(buf)); write(fd, buf, strlen(buf));
close(fd); close(fd);
fd = open("/proc/sys/net/ipv4/ping_group_range", O_WRONLY);
write(fd, "0 0", strlen("0 0"));
close(fd);
shell = getenv("SHELL") ? getenv("SHELL") : "/bin/sh"; shell = getenv("SHELL") ? getenv("SHELL") : "/bin/sh";
if (strstr(shell, "/bash")) if (strstr(shell, "/bash"))
execve(shell, ((char *[]) { shell, "-l", NULL }), environ); execve(shell, ((char *[]) { shell, "-l", NULL }), environ);