commit 21b9d712095829cc2ae4385f423fdd833ff42260
parent 25e2fa17c032bf14df6019c605af797a9b590a64
Author: Brian Swetland <swetland@frotz.net>
Date: Sun, 27 Apr 2014 00:32:40 -0700
drop capability bits too
Diffstat:
1 file changed, 17 insertions(+), 1 deletion(-)
diff --git a/mkbox.c b/mkbox.c
@@ -28,8 +28,12 @@
#include <sys/mount.h>
#include <sys/wait.h>
#include <fcntl.h>
+#include <linux/capability.h>
-int pivot_root(const char *new_root, const char *put_old); /* header? */
+/* can't find headers for these, but they're in glibc... */
+int pivot_root(const char *new_root, const char *put_old);
+int capset(cap_user_header_t h, cap_user_data_t d);
+int capset(cap_user_header_t h, cap_user_data_t d);
static int checkreturn(int res, const char *name, int line) {
if (res >= 0)
@@ -41,6 +45,15 @@ static int checkreturn(int res, const char *name, int line) {
#define ok(fname, arg...) checkreturn(fname(arg), #fname, __LINE__)
+int dropcaps(void) {
+ struct __user_cap_header_struct header;
+ struct __user_cap_data_struct data[_LINUX_CAPABILITY_U32S_3];
+ header.version = _LINUX_CAPABILITY_VERSION_3;
+ header.pid = 0;
+ memset(data, 0, sizeof(data));
+ return capset(&header, data);
+}
+
int main(int argc, char **argv) {
char buf[1024];
int fd;
@@ -128,6 +141,9 @@ int main(int argc, char **argv) {
MS_RDONLY|MS_NOSUID|MS_REMOUNT|MS_NOATIME|MS_BIND|MS_RDONLY,
NULL);
+ /* discard all capability bits */
+ ok(dropcaps);
+
/* we must fork to become pid 1 in the new pid namespace */
cpid = ok(fork);
