mirror of
https://github.com/google/sandboxed-api.git
synced 2024-03-22 13:11:30 +08:00
don't drop CAP_SYS_PTRACE as it is apparently needed by sandbox
running as root when combined with apparmor (or possibly yama) LSM PiperOrigin-RevId: 578762678 Change-Id: I60803b4ed78c6750f8ce0e0c909e5cec4f619da8
This commit is contained in:
parent
79ab44c981
commit
6f90a6ef2a
|
@ -543,18 +543,22 @@ bool ForkServer::Initialize() {
|
|||
cap_t wanted_caps = cap_init(); // starts as empty set, ie. no caps
|
||||
SAPI_RAW_CHECK(wanted_caps, "failed to cap_init()");
|
||||
|
||||
// CAP_SYS_PTRACE appears to be needed for apparmor (or possibly yama)
|
||||
// CAP_SETFCAP is needed on newer kernels (5.10 needs it, 4.15 does not)
|
||||
for (cap_value_t cap : {CAP_SYS_PTRACE, CAP_SETFCAP}) {
|
||||
for (cap_flag_t flag : {CAP_EFFECTIVE, CAP_PERMITTED}) {
|
||||
cap_flag_value_t value;
|
||||
int rc = cap_get_flag(have_caps, CAP_SETFCAP, flag, &value);
|
||||
int rc = cap_get_flag(have_caps, cap, flag, &value);
|
||||
SAPI_RAW_CHECK(!rc, "cap_get_flag");
|
||||
if (value == CAP_SET) {
|
||||
cap_value_t caps_to_set[1] = {
|
||||
CAP_SETFCAP,
|
||||
cap,
|
||||
};
|
||||
rc = cap_set_flag(wanted_caps, flag, 1, caps_to_set, CAP_SET);
|
||||
SAPI_RAW_CHECK(!rc, "cap_set_flag");
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
SAPI_RAW_CHECK(!cap_set_proc(wanted_caps), "while dropping capabilities");
|
||||
SAPI_RAW_CHECK(!cap_free(wanted_caps), "while freeing wanted_caps");
|
||||
|
|
Loading…
Reference in New Issue
Block a user