mirror of
https://github.com/google/sandboxed-api.git
synced 2024-03-22 13:11:30 +08:00
don't drop CAP_SYS_PTRACE as it is apparently needed by sandbox
running as root when combined with apparmor (or possibly yama) LSM PiperOrigin-RevId: 578762678 Change-Id: I60803b4ed78c6750f8ce0e0c909e5cec4f619da8
This commit is contained in:
parent
79ab44c981
commit
6f90a6ef2a
|
@ -543,16 +543,20 @@ bool ForkServer::Initialize() {
|
||||||
cap_t wanted_caps = cap_init(); // starts as empty set, ie. no caps
|
cap_t wanted_caps = cap_init(); // starts as empty set, ie. no caps
|
||||||
SAPI_RAW_CHECK(wanted_caps, "failed to cap_init()");
|
SAPI_RAW_CHECK(wanted_caps, "failed to cap_init()");
|
||||||
|
|
||||||
for (cap_flag_t flag : {CAP_EFFECTIVE, CAP_PERMITTED}) {
|
// CAP_SYS_PTRACE appears to be needed for apparmor (or possibly yama)
|
||||||
cap_flag_value_t value;
|
// CAP_SETFCAP is needed on newer kernels (5.10 needs it, 4.15 does not)
|
||||||
int rc = cap_get_flag(have_caps, CAP_SETFCAP, flag, &value);
|
for (cap_value_t cap : {CAP_SYS_PTRACE, CAP_SETFCAP}) {
|
||||||
SAPI_RAW_CHECK(!rc, "cap_get_flag");
|
for (cap_flag_t flag : {CAP_EFFECTIVE, CAP_PERMITTED}) {
|
||||||
if (value == CAP_SET) {
|
cap_flag_value_t value;
|
||||||
cap_value_t caps_to_set[1] = {
|
int rc = cap_get_flag(have_caps, cap, flag, &value);
|
||||||
CAP_SETFCAP,
|
SAPI_RAW_CHECK(!rc, "cap_get_flag");
|
||||||
};
|
if (value == CAP_SET) {
|
||||||
rc = cap_set_flag(wanted_caps, flag, 1, caps_to_set, CAP_SET);
|
cap_value_t caps_to_set[1] = {
|
||||||
SAPI_RAW_CHECK(!rc, "cap_set_flag");
|
cap,
|
||||||
|
};
|
||||||
|
rc = cap_set_flag(wanted_caps, flag, 1, caps_to_set, CAP_SET);
|
||||||
|
SAPI_RAW_CHECK(!rc, "cap_set_flag");
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue
Block a user