diff options
| author | Dmitry Vyukov <dvyukov@google.com> | 2017-11-17 14:28:45 +0100 |
|---|---|---|
| committer | Dmitry Vyukov <dvyukov@google.com> | 2017-11-17 14:28:45 +0100 |
| commit | 3fb087023a62213a128683d3ef52ff52d32b07fe (patch) | |
| tree | f5cc6805e49d830c0d7ef44ed76a187f3b34241a /pkg/osutil | |
| parent | e3d71793964450d7368ec6b4609dc593ce30b4d9 (diff) | |
pkg/osutil: properly set gid for sandboxing
Diffstat (limited to 'pkg/osutil')
| -rw-r--r-- | pkg/osutil/osutil_linux.go | 36 |
1 files changed, 25 insertions, 11 deletions
diff --git a/pkg/osutil/osutil_linux.go b/pkg/osutil/osutil_linux.go index d2aa34f1f..21b50a484 100644 --- a/pkg/osutil/osutil_linux.go +++ b/pkg/osutil/osutil_linux.go @@ -37,13 +37,13 @@ func Sandbox(cmd *exec.Cmd, user, net bool) error { cmd.SysProcAttr = new(syscall.SysProcAttr) } if user { - uid, err := initSandbox() + uid, gid, err := initSandbox() if err != nil { return err } cmd.SysProcAttr.Credential = &syscall.Credential{ Uid: uid, - Gid: uid, + Gid: gid, } } if net { @@ -54,7 +54,7 @@ func Sandbox(cmd *exec.Cmd, user, net bool) error { } func SandboxChown(file string) error { - uid, err := initSandbox() + uid, _, err := initSandbox() if err != nil { return err } @@ -65,25 +65,39 @@ var ( sandboxOnce sync.Once sandboxUsername = "syzkaller" sandboxUID = ^uint32(0) + sandboxGID = ^uint32(0) ) -func initSandbox() (uint32, error) { +func initSandbox() (uint32, uint32, error) { sandboxOnce.Do(func() { - out, err := RunCmd(time.Minute, "", "id", "-u", sandboxUsername) - if err != nil || len(out) == 0 { + uid, err := usernameToID("-u") + if err != nil { return } - str := strings.Trim(string(out), " \t\n") - uid, err := strconv.ParseUint(str, 10, 32) + gid, err := usernameToID("-g") if err != nil { return } - sandboxUID = uint32(uid) + sandboxUID = uid + sandboxGID = gid }) if sandboxUID == ^uint32(0) { - return 0, fmt.Errorf("user %q is not found, can't sandbox command", sandboxUsername) + return 0, 0, fmt.Errorf("user %q is not found, can't sandbox command", sandboxUsername) + } + return sandboxUID, sandboxGID, nil +} + +func usernameToID(what string) (uint32, error) { + out, err := RunCmd(time.Minute, "", "id", what, sandboxUsername) + if err != nil { + return 0, err + } + str := strings.Trim(string(out), " \t\n") + id, err := strconv.ParseUint(str, 10, 32) + if err != nil { + return 0, err } - return sandboxUID, nil + return uint32(id), nil } func setPdeathsig(cmd *exec.Cmd) { |