From 259b4724c9ba20e859713b333ca5495e736e06f7 Mon Sep 17 00:00:00 2001
From: Dmitry Vyukov <dvyukov@google.com>
Date: Thu, 10 Mar 2016 19:12:23 +0100
Subject: executor: prevent test processes from ptracing parent processes

---
 executor/executor.cc | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

(limited to 'executor')

diff --git a/executor/executor.cc b/executor/executor.cc
index b42dba6ed..4d9ee9f26 100644
--- a/executor/executor.cc
+++ b/executor/executor.cc
@@ -7,6 +7,7 @@
 #include <fcntl.h>
 #include <grp.h>
 #include <limits.h>
+#include <linux/capability.h>
 #include <linux/futex.h>
 #include <linux/reboot.h>
 #include <pthread.h>
@@ -335,6 +336,22 @@ int sandbox(void* arg)
 	if (chdir("/"))
 		fail("chdir failed");
 
+	// Drop CAP_SYS_PTRACE so that test processes can't attach to parent processes.
+	// Previously it lead to hangs because the loop process stopped due to SIGSTOP.
+	// Note that a process can always ptrace its direct children, which is enough
+	// for testing purposes.
+	__user_cap_header_struct cap_hdr = {};
+	__user_cap_data_struct cap_data[2] = {};
+	cap_hdr.version = _LINUX_CAPABILITY_VERSION_3;
+	cap_hdr.pid = getpid();
+	if (syscall(SYS_capget, &cap_hdr, &cap_data))
+		fail("capget failed");
+	cap_data[0].effective &= ~(1 << CAP_SYS_PTRACE);
+	cap_data[0].permitted &= ~(1 << CAP_SYS_PTRACE);
+	cap_data[0].inheritable &= ~(1 << CAP_SYS_PTRACE);
+	if (syscall(SYS_capset, &cap_hdr, &cap_data))
+		fail("capset failed");
+
 	loop();
 	exit(1);
 }
-- 
cgit mrf-deployment