diff options
author | Luis Hector Chavez <lhchavez@google.com> | 2017-06-29 20:29:57 -0700 |
---|---|---|
committer | Luis Hector Chavez <lhchavez@google.com> | 2017-07-11 11:15:41 -0700 |
commit | ec0a2c1023801b875fed9eb514eb29207d657e3f (patch) | |
tree | a05d6063daebfb6aefccd704faee7b32f011d879 /system.c | |
parent | fe5fb8ea506c1a198d690e712d848d149a0addd0 (diff) | |
download | minijail-ec0a2c1023801b875fed9eb514eb29207d657e3f.tar.gz |
minijail: Allow skipping setting securebits when restricting caps
This change allows the user to optionally skip setting a subset of the
securebits that are automatically set when restricting caps.
Bug: 63069223
Test: $ gcc -static -xc -o securebits - << EOF
#include <stdio.h>
#include <sys/prctl.h>
int main()
{
printf("%x\n", prctl(PR_GET_SECUREBITS));
}
EOF
$ sudo ./minijail0 -c 1fffffffff --ambient ./securebits
2f
$ sudo ./minijail0 -c 1fffffffff --ambient -B 2f ./securebits
0
Change-Id: Ie247302bbbb35f04caa2066541a8c175f6c94976
Diffstat (limited to 'system.c')
-rw-r--r-- | system.c | 11 |
1 files changed, 7 insertions, 4 deletions
@@ -51,7 +51,7 @@ _Static_assert(SECURE_ALL_BITS == 0x55, "SECURE_ALL_BITS == 0x55."); #endif -int lock_securebits(void) +int lock_securebits(uint64_t skip_mask) { /* * Ambient capabilities can only be raised if they're already present @@ -59,9 +59,12 @@ int lock_securebits(void) * need to lock the NO_CAP_AMBIENT_RAISE securebit, since we are already * configuring the permitted and inheritable set. */ - int securebits_ret = - prctl(PR_SET_SECUREBITS, - SECURE_BITS_NO_AMBIENT | SECURE_LOCKS_NO_AMBIENT); + uint64_t securebits = + (SECURE_BITS_NO_AMBIENT | SECURE_LOCKS_NO_AMBIENT) & ~skip_mask; + if (!securebits) { + return 0; + } + int securebits_ret = prctl(PR_SET_SECUREBITS, securebits); if (securebits_ret < 0) { pwarn("prctl(PR_SET_SECUREBITS) failed"); return -1; |