diff options
| author | Alexander Larsson <alexl@redhat.com> | 2019-11-21 18:29:51 +0100 |
|---|---|---|
| committer | Alexander Larsson <alexl@redhat.com> | 2019-11-21 18:32:42 +0100 |
| commit | 23d3b639242efa1f4626eb07aa04698ba2e0354e (patch) | |
| tree | 8036eb73e5158876ba9f9590fccaa0f02c8471dc | |
| parent | f9f6127474591c8a4731d8b755a4670adcb83b9e (diff) | |
| download | bubblewrap-23d3b639242efa1f4626eb07aa04698ba2e0354e.tar.gz | |
Mark init process as dumpable so we can see stuff in its /proc
Now that we're properly getting rid of root in these we can mark it
dumpable, which enables use of some /proc files, like /proc/$pid/root that
was previously not accessible for pid1 in the sandbox.
| -rw-r--r-- | bubblewrap.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/bubblewrap.c b/bubblewrap.c index 645a3cf..027f8c9 100644 --- a/bubblewrap.c +++ b/bubblewrap.c @@ -826,6 +826,10 @@ drop_privs (bool keep_requested_caps) die_with_error ("unable to drop root uid"); drop_all_caps (keep_requested_caps); + + /* We don't have any privs now, so mark us dumpable which makes /proc/self be owned by the user instead of root */ + if (prctl (PR_SET_DUMPABLE, 1, 0, 0, 0) != 0) + die_with_error ("can't set dumpable"); } static char * |