diff options
author | Damien Martin-Guillerez <dmarting@google.com> | 2015-05-18 09:52:43 +0000 |
---|---|---|
committer | Damien Martin-Guillerez <dmarting@google.com> | 2015-05-18 19:59:35 +0000 |
commit | aabdb67c17ec26df3bea15ca3c7f88c73d565bcf (patch) | |
tree | bdb2bd4350572c479ad31fbec68e644417336d9a /src/main | |
parent | cb598ef624d7f451fcaff25f01ab98c2bc1901a8 (diff) |
namespace-sandbox: write "deny" to /proc/self/setgroups
This remove the operation not permitted when trying to write
the gid mapping. The error message was the result of a change
in Linux 3.19 to address a security issue. Further explanation
can be found in the source example of
http://man7.org/linux/man-pages/man7/user_namespaces.7.html.
--
MOS_MIGRATED_REVID=93870786
Diffstat (limited to 'src/main')
-rw-r--r-- | src/main/tools/namespace-sandbox.c | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/src/main/tools/namespace-sandbox.c b/src/main/tools/namespace-sandbox.c index 2ea49f812a..e14ef70b39 100644 --- a/src/main/tools/namespace-sandbox.c +++ b/src/main/tools/namespace-sandbox.c @@ -179,6 +179,14 @@ parsing_finished: CHECK_CALL(chdir("..")); } + // Disable needs for CAP_SETGID + int r = WriteFile("/proc/self/setgroups", "deny"); + if (r < 0 && errno != ENOENT) { + // Writing to /proc/self/setgroups might fail on earlier + // version of linux because setgroups does not exist, ignore. + perror("WriteFile(\"/proc/self/setgroups\", \"deny\")"); + exit(-1); + } // set group and user mapping from outer namespace to inner: // no changes in the parent, be root in the child CHECK_CALL(WriteFile("/proc/self/uid_map", "0 %d 1\n", uid)); |