support dropprivs in execlog/execprog

2 files changed, 9 insertions, 1 deletions

diff --git a/tools/execlog/execlog.go b/tools/execlog/execlog.go
index b1ee9fba8..54cadac12 100644
--- a/tools/execlog/execlog.go
+++ b/tools/execlog/execlog.go
@@ -22,6 +22,7 @@ var (
 	flagLog      = flag.String("log", "", "comma-delimited list of log files to execute")
 	flagProcs    = flag.Int("procs", 1, "number of parallel processes to execute the log")
 	flagThreaded = flag.Bool("threaded", false, "use threaded mode in executor")
+	flagNobody   = flag.Bool("nobody", true, "impersonate into nobody")
 	flagTimeout  = flag.Duration("timeout", 5*time.Second, "execution timeout")
 )
 
@@ -69,7 +70,10 @@ func main() {
 			if *flagThreaded {
 				flags |= ipc.FlagThreaded
 			}
-			env, err := ipc.MakeEnv(*flagExecutor, *flagTimeout, 0)
+			if *flagNobody {
+				flags |= ipc.FlagDropPrivs
+			}
+			env, err := ipc.MakeEnv(*flagExecutor, *flagTimeout, flags)
 			if err != nil {
 				log.Fatalf("failed to create ipc env: %v", err)
 			}
diff --git a/tools/execprog/execprog.go b/tools/execprog/execprog.go
index d4ff9fffd..234130710 100644
--- a/tools/execprog/execprog.go
+++ b/tools/execprog/execprog.go
@@ -26,6 +26,7 @@ var (
 	flagDebug    = flag.Bool("debug", true, "debug output from executor")
 	flagStrace   = flag.Bool("strace", false, "run executor under strace")
 	flagCover    = flag.String("cover", "", "collect coverage and write to the file")
+	flagNobody   = flag.Bool("nobody", true, "impersonate into nobody")
 	flagDedup    = flag.Bool("dedup", false, "deduplicate coverage in executor")
 	flagTimeout  = flag.Duration("timeout", 5*time.Second, "execution timeout")
 )
@@ -58,6 +59,9 @@ func main() {
 	if *flagDedup {
 		flags |= ipc.FlagDedupCover
 	}
+	if *flagNobody {
+		flags |= ipc.FlagDropPrivs
+	}
 	env, err := ipc.MakeEnv(*flagExecutor, *flagTimeout, flags)
 	if err != nil {
 		fmt.Fprintf(os.Stderr, "failed to create execution environment: %v\n", err)