instance, ujail: wire no_new_privs (-c) option

author John Crispin <blogic@openwrt.org>

Fri, 11 Dec 2015 11:04:52 +0000 (12:04 +0100)

committer John Crispin <blogic@openwrt.org>

Fri, 11 Dec 2015 11:04:52 +0000 (12:04 +0100)
author John Crispin <blogic@openwrt.org>
Fri, 11 Dec 2015 11:04:52 +0000 (12:04 +0100)
committer John Crispin <blogic@openwrt.org>
Fri, 11 Dec 2015 11:04:52 +0000 (12:04 +0100)
diff --git a/service/instance.c b/service/instance.c

index 26faa9a5e930398c8d78cc16ee2f9c650095cf55..52f5cf29bb38a19387e9f8f5d90673f97664e079 100644 (file)
--- a/service/instance.c
+++ b/service/instance.c
@@ -49,6 +49,7 @@ enum {
         INSTANCE_ATTR_USER,
         INSTANCE_ATTR_STDOUT,
         INSTANCE_ATTR_STDERR,
+       INSTANCE_ATTR_NO_NEW_PRIVS,
         INSTANCE_ATTR_JAIL,
         INSTANCE_ATTR_TRACE,
         INSTANCE_ATTR_SECCOMP,
@@ -70,6 +71,7 @@ static const struct blobmsg_policy instance_attr[__INSTANCE_ATTR_MAX] = {
         [INSTANCE_ATTR_USER] = { "user", BLOBMSG_TYPE_STRING },
         [INSTANCE_ATTR_STDOUT] = { "stdout", BLOBMSG_TYPE_BOOL },
         [INSTANCE_ATTR_STDERR] = { "stderr", BLOBMSG_TYPE_BOOL },
+       [INSTANCE_ATTR_NO_NEW_PRIVS] = { "no_new_privs", BLOBMSG_TYPE_BOOL },
         [INSTANCE_ATTR_JAIL] = { "jail", BLOBMSG_TYPE_TABLE },
         [INSTANCE_ATTR_TRACE] = { "trace", BLOBMSG_TYPE_BOOL },
         [INSTANCE_ATTR_SECCOMP] = { "seccomp", BLOBMSG_TYPE_STRING },
@@ -188,6 +190,9 @@ jail_run(struct service_instance *in, char **argv)
                 argv[argc++] = in->seccomp;
         }
  
+       if (in->no_new_privs)
+               argv[argc++] = "-c";
+
         if (jail->procfs)
                 argv[argc++] = "-p";
  
@@ -752,6 +757,9 @@ instance_config_parse(struct service_instance *in)
         if (tb[INSTANCE_ATTR_TRACE])
                 in->trace = blobmsg_get_bool(tb[INSTANCE_ATTR_TRACE]);
  
+       if (tb[INSTANCE_ATTR_NO_NEW_PRIVS])
+               in->no_new_privs = blobmsg_get_bool(tb[INSTANCE_ATTR_NO_NEW_PRIVS]);
+
         if (!in->trace && tb[INSTANCE_ATTR_SECCOMP]) {
                 char *seccomp = blobmsg_get_string(tb[INSTANCE_ATTR_SECCOMP]);
                 struct stat s;
@@ -941,6 +949,9 @@ void instance_dump(struct blob_buf *b, struct service_instance *in, int verbose)
         if (in->trace)
                 blobmsg_add_u8(b, "trace", true);
  
+       if (in->no_new_privs)
+               blobmsg_add_u8(b, "no_new_privs", true);
+
         if (in->seccomp)
                 blobmsg_add_string(b, "seccomp", in->seccomp);
  
diff --git a/service/instance.h b/service/instance.h

index 43844dc11f68b125628a0145d6c289e8caa5a236..770000001b62c993d5a6902bbe685d127d0df5ca 100644 (file)
--- a/service/instance.h
+++ b/service/instance.h
@@ -52,6 +52,7 @@ struct service_instance {
  
         bool trace;
         bool has_jail;
+       bool no_new_privs;
         struct jail jail;
         char *seccomp;
author	John Crispin <blogic@openwrt.org>
	Fri, 11 Dec 2015 11:04:52 +0000 (12:04 +0100)
committer	John Crispin <blogic@openwrt.org>
	Fri, 11 Dec 2015 11:04:52 +0000 (12:04 +0100)
service/instance.c		patch \| blob \| history
service/instance.h		patch \| blob \| history