diff options
Diffstat (limited to 'go/try-launching.go')
-rw-r--r-- | go/try-launching.go | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/go/try-launching.go b/go/try-launching.go index 272fd0a..9f20e6b 100644 --- a/go/try-launching.go +++ b/go/try-launching.go @@ -28,6 +28,7 @@ func tryLaunching() { iab string uid int gid int + mode cap.Mode groups []int }{ {args: []string{root + "/go/ok"}}, @@ -44,6 +45,11 @@ func tryLaunching() { chroot: root + "/go", fail: syscall.Getuid() != 0, }, + { + args: []string{root + "/progs/tcapsh-static", "--inmode=NOPRIV", "--has-no-new-privs"}, + mode: cap.ModeNoPriv, + fail: syscall.Getuid() != 0, + }, } ps := make([]int, len(vs)) @@ -61,6 +67,9 @@ func tryLaunching() { if v.gid != 0 { e.SetGroups(v.gid, v.groups) } + if v.mode != 0 { + e.SetMode(v.mode) + } if v.iab != "" { if iab, err := cap.IABFromText(v.iab); err != nil { log.Fatalf("failed to parse iab=%q: %v", v.iab, err) @@ -68,6 +77,7 @@ func tryLaunching() { e.SetIAB(iab) } } + log.Printf("[%d] trying: %q\n", i, v.args) if ps[i], err = e.Launch(nil); err != nil { if v.fail { continue |