diff options
| author | Etienne CHAMPETIER <champetier.etienne@gmail.com> | 2015-08-27 01:26:45 +0200 |
|---|---|---|
| committer | John Crispin <blogic@openwrt.org> | 2015-10-07 11:07:54 +0200 |
| commit | 51201235db9dad9fe1823d9de46ed90f5e160fd0 (patch) | |
| tree | 6abff11a7f8ffd602756ce3802ddafdab48bdc9e /jail/jail.c | |
| parent | fafbf7338ec8304f2a0ec0ba76048fba2c01c07e (diff) | |
| download | unitd-51201235db9dad9fe1823d9de46ed90f5e160fd0.tar unitd-51201235db9dad9fe1823d9de46ed90f5e160fd0.zip | |
jail: add capabilities support
If there is one or more capabilities in cap.keep,
drop all capabilities not in cap.keep.
Always drop all capabalities in cap.drop
exemple json syntax:
{
"cap.keep": [
"cap_net_raw"
],
"cap.drop": []
}
Signed-off-by: Etienne CHAMPETIER <champetier.etienne@gmail.com>
Diffstat (limited to 'jail/jail.c')
| -rw-r--r-- | jail/jail.c | 15 |
1 files changed, 11 insertions, 4 deletions
diff --git a/jail/jail.c b/jail/jail.c index f8139b8..3d0830e 100644 --- a/jail/jail.c +++ b/jail/jail.c @@ -37,19 +37,21 @@ #include <sched.h> #include "elf.h" +#include "capabilities.h" #include <libubox/utils.h> #include <libubox/list.h> #include <libubox/uloop.h> #define STACK_SIZE (1024 * 1024) -#define OPT_ARGS "P:S:n:r:w:d:psulo" +#define OPT_ARGS "P:S:C:n:r:w:d:psulo" static struct { char *path; char *name; char **jail_argv; char *seccomp; + char *capabilities; int procfs; int ronly; int sysfs; @@ -243,6 +245,7 @@ static void usage(void) fprintf(stderr, "ujail <options> -- <binary> <params ...>\n"); fprintf(stderr, " -P <path>\tpath where the jail will be staged\n"); fprintf(stderr, " -S <file>\tseccomp filter\n"); + fprintf(stderr, " -C <file>\tcapabilities drop config\n"); fprintf(stderr, " -n <name>\tthe name of the jail\n"); fprintf(stderr, " -r <file>\treadonly files that should be staged\n"); fprintf(stderr, " -w <file>\twriteable files that should be staged\n"); @@ -255,7 +258,7 @@ static void usage(void) fprintf(stderr, "\nWarning: by default root inside the jail is the same\n\ and he has the same powers as root outside the jail,\n\ thus he can escape the jail and/or break stuff.\n\ -Please use an appropriate seccomp filter (-S) to restrict his powers\n"); +Please use an appropriate seccomp/capabilities filter (-S/-C) to restrict his powers\n"); } static int spawn_jail(void *arg) @@ -273,8 +276,8 @@ static int spawn_jail(void *arg) if (!envp) exit(EXIT_FAILURE); - //TODO: drop capabilities() here - //prctl(PR_CAPBSET_DROP, ..., 0, 0, 0); + if (opts.capabilities && drop_capabilities(opts.capabilities)) + exit(EXIT_FAILURE); INFO("exec-ing %s\n", *opts.jail_argv); execve(*opts.jail_argv, opts.jail_argv, envp); @@ -354,6 +357,10 @@ int main(int argc, char **argv) opts.seccomp = optarg; add_extra(optarg, 1); break; + case 'C': + opts.capabilities = optarg; + add_extra(optarg, 1); + break; case 'P': opts.path = optarg; break; |