diff options
| author | Dmitry Vyukov <dvyukov@google.com> | 2019-07-22 11:15:52 +0200 |
|---|---|---|
| committer | Dmitry Vyukov <dvyukov@google.com> | 2019-07-22 11:51:53 +0200 |
| commit | 5181b54d45a7f7a1bd67396a8a9721ad512134fe (patch) | |
| tree | 8b7c8704b3e6368ac6f62f6b534c117e5fc54b7e /executor/common_linux.h | |
| parent | e530ec1befe3153020d601f5066939d984d790ac (diff) | |
executor: drop CAP_SYS_PTRACE with sandbox=none
We only drop CAP_SYS_PTRACE for sandbox=namespace,
but it can equally affect testing with sandbox=none.
Drop it for sandbox=none, add a test.
Diffstat (limited to 'executor/common_linux.h')
| -rw-r--r-- | executor/common_linux.h | 42 |
1 files changed, 25 insertions, 17 deletions
diff --git a/executor/common_linux.h b/executor/common_linux.h index ff3126641..682425a3d 100644 --- a/executor/common_linux.h +++ b/executor/common_linux.h @@ -1976,6 +1976,29 @@ int wait_for_loop(int pid) } #endif +#if SYZ_EXECUTOR || SYZ_SANDBOX_NONE || SYZ_SANDBOX_NAMESPACE +#include <linux/capability.h> + +static void drop_caps(void) +{ + // Drop CAP_SYS_PTRACE so that test processes can't attach to parent processes. + // Previously it lead to hangs because the loop process stopped due to SIGSTOP. + // Note that a process can always ptrace its direct children, which is enough for testing purposes. + struct __user_cap_header_struct cap_hdr = {}; + struct __user_cap_data_struct cap_data[2] = {}; + cap_hdr.version = _LINUX_CAPABILITY_VERSION_3; + cap_hdr.pid = getpid(); + if (syscall(SYS_capget, &cap_hdr, &cap_data)) + fail("capget failed"); + const int drop = (1 << CAP_SYS_PTRACE); + cap_data[0].effective &= ~drop; + cap_data[0].permitted &= ~drop; + cap_data[0].inheritable &= ~drop; + if (syscall(SYS_capset, &cap_hdr, &cap_data)) + fail("capset failed"); +} +#endif + #if SYZ_EXECUTOR || SYZ_SANDBOX_NONE #include <sched.h> #include <sys/types.h> @@ -1997,6 +2020,7 @@ static int do_sandbox_none(void) setup_common(); sandbox_common(); + drop_caps(); #if SYZ_EXECUTOR || SYZ_ENABLE_NETDEV initialize_netdevices_init(); #endif @@ -2063,7 +2087,6 @@ static int do_sandbox_setuid(void) #endif #if SYZ_EXECUTOR || SYZ_SANDBOX_NAMESPACE -#include <linux/capability.h> #include <sched.h> #include <sys/mman.h> #include <sys/mount.h> @@ -2151,22 +2174,7 @@ static int namespace_sandbox_proc(void* arg) fail("chroot failed"); if (chdir("/")) fail("chdir failed"); - - // Drop CAP_SYS_PTRACE so that test processes can't attach to parent processes. - // Previously it lead to hangs because the loop process stopped due to SIGSTOP. - // Note that a process can always ptrace its direct children, which is enough - // for testing purposes. - struct __user_cap_header_struct cap_hdr = {}; - struct __user_cap_data_struct cap_data[2] = {}; - cap_hdr.version = _LINUX_CAPABILITY_VERSION_3; - cap_hdr.pid = getpid(); - if (syscall(SYS_capget, &cap_hdr, &cap_data)) - fail("capget failed"); - cap_data[0].effective &= ~(1 << CAP_SYS_PTRACE); - cap_data[0].permitted &= ~(1 << CAP_SYS_PTRACE); - cap_data[0].inheritable &= ~(1 << CAP_SYS_PTRACE); - if (syscall(SYS_capset, &cap_hdr, &cap_data)) - fail("capset failed"); + drop_caps(); loop(); doexit(1); |