passt: Drop all capabilities that we might have, except for CAP_NET_BIND_SERVICE
While it's not recommended to give passt any capability, drop all the ones we might have got by mistake, except for the only sensible one, CAP_NET_BIND_SERVICE. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
This commit is contained in:
Stefano Brivio
parent
32d07f5e59
commit
9f1724ad1e
1 changed files with 18 additions and 0 deletions
18
passt.c
18
passt.c
|
|
@ -55,6 +55,7 @@
|
||||||
#include <sys/prctl.h>
|
#include <sys/prctl.h>
|
||||||
#include <linux/filter.h>
|
#include <linux/filter.h>
|
||||||
#include <stddef.h>
|
#include <stddef.h>
|
||||||
|
#include <linux/capability.h>
|
||||||
|
|
||||||
#include "seccomp.h"
|
#include "seccomp.h"
|
||||||
#include "util.h"
|
#include "util.h"
|
||||||
|
|
@ -185,6 +186,21 @@ static void seccomp(struct ctx *c)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* drop_caps() - Drop capabilities we might have except for CAP_NET_BIND_SERVICE
|
||||||
|
*/
|
||||||
|
static void drop_caps(void)
|
||||||
|
{
|
||||||
|
int i;
|
||||||
|
|
||||||
|
for (i = 0; i < 64; i++) {
|
||||||
|
if (i == CAP_NET_BIND_SERVICE)
|
||||||
|
continue;
|
||||||
|
|
||||||
|
prctl(PR_CAPBSET_DROP, i, 0, 0, 0);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* main() - Entry point and main loop
|
* main() - Entry point and main loop
|
||||||
* @argc: Argument count
|
* @argc: Argument count
|
||||||
|
|
@ -207,6 +223,8 @@ int main(int argc, char **argv)
|
||||||
char *log_name;
|
char *log_name;
|
||||||
int nfds, i;
|
int nfds, i;
|
||||||
|
|
||||||
|
drop_caps();
|
||||||
|
|
||||||
if (strstr(argv[0], "pasta") || strstr(argv[0], "passt4netns")) {
|
if (strstr(argv[0], "pasta") || strstr(argv[0], "passt4netns")) {
|
||||||
struct sigaction sa;
|
struct sigaction sa;
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue