[OpenWrt-Devel] [PATCH procd 7/9] instance, ujail: wire no_new_privs (-c) option

Mon, 30 Nov 2015 15:16:53 -0800 

Signed-off-by: Etienne CHAMPETIER <champetier.etie...@gmail.com>
---
 service/instance.c | 11 +++++++++++
 service/instance.h |  1 +
 2 files changed, 12 insertions(+)

diff --git a/service/instance.c b/service/instance.c
index 586c0ee..ad0d284 100644
--- a/service/instance.c
+++ b/service/instance.c
@@ -49,6 +49,7 @@ enum {
        INSTANCE_ATTR_USER,
        INSTANCE_ATTR_STDOUT,
        INSTANCE_ATTR_STDERR,
+       INSTANCE_ATTR_NO_NEW_PRIVS,
        INSTANCE_ATTR_JAIL,
        INSTANCE_ATTR_TRACE,
        INSTANCE_ATTR_SECCOMP,
@@ -71,6 +72,7 @@ static const struct blobmsg_policy 
instance_attr[__INSTANCE_ATTR_MAX] = {
        [INSTANCE_ATTR_USER] = { "user", BLOBMSG_TYPE_STRING },
        [INSTANCE_ATTR_STDOUT] = { "stdout", BLOBMSG_TYPE_BOOL },
        [INSTANCE_ATTR_STDERR] = { "stderr", BLOBMSG_TYPE_BOOL },
+       [INSTANCE_ATTR_NO_NEW_PRIVS] = { "no_new_privs", BLOBMSG_TYPE_BOOL },
        [INSTANCE_ATTR_JAIL] = { "jail", BLOBMSG_TYPE_TABLE },
        [INSTANCE_ATTR_TRACE] = { "trace", BLOBMSG_TYPE_BOOL },
        [INSTANCE_ATTR_SECCOMP] = { "seccomp", BLOBMSG_TYPE_STRING },
@@ -195,6 +197,9 @@ jail_run(struct service_instance *in, char **argv)
                argv[argc++] = in->capabilities;
        }
 
+       if (in->no_new_privs)
+               argv[argc++] = "-c";
+
        if (jail->procfs)
                argv[argc++] = "-p";
 
@@ -762,6 +767,9 @@ instance_config_parse(struct service_instance *in)
        if (tb[INSTANCE_ATTR_TRACE])
                in->trace = blobmsg_get_bool(tb[INSTANCE_ATTR_TRACE]);
 
+       if (tb[INSTANCE_ATTR_NO_NEW_PRIVS])
+               in->no_new_privs = 
blobmsg_get_bool(tb[INSTANCE_ATTR_NO_NEW_PRIVS]);
+
        if (!in->trace && tb[INSTANCE_ATTR_SECCOMP]) {
                char *seccomp = blobmsg_get_string(tb[INSTANCE_ATTR_SECCOMP]);
                struct stat s;
@@ -960,6 +968,9 @@ void instance_dump(struct blob_buf *b, struct 
service_instance *in, int verbose)
        if (in->trace)
                blobmsg_add_u8(b, "trace", true);
 
+       if (in->no_new_privs)
+               blobmsg_add_u8(b, "no_new_privs", true);
+
        if (in->seccomp)
                blobmsg_add_string(b, "seccomp", in->seccomp);
 
diff --git a/service/instance.h b/service/instance.h
index 80268af..0af9680 100644
--- a/service/instance.h
+++ b/service/instance.h
@@ -52,6 +52,7 @@ struct service_instance {
 
        bool trace;
        bool has_jail;
+       bool no_new_privs;
        struct jail jail;
        char *seccomp;
        char *capabilities;
-- 
1.9.1
_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel

Reply via email to