diff options
-rw-r--r-- | libcap/cap_proc.c | 2 | ||||
-rw-r--r-- | progs/capsh.c | 8 | ||||
-rwxr-xr-x | progs/quicktest.sh | 6 |
3 files changed, 15 insertions, 1 deletions
diff --git a/libcap/cap_proc.c b/libcap/cap_proc.c index 6040c02..8ecb57a 100644 --- a/libcap/cap_proc.c +++ b/libcap/cap_proc.c @@ -4,6 +4,8 @@ * This file deals with getting and setting capabilities on processes. */ +#include <sys/prctl.h> + #include "libcap.h" cap_t cap_get_proc(void) diff --git a/progs/capsh.c b/progs/capsh.c index 4c32279..52336d7 100644 --- a/progs/capsh.c +++ b/progs/capsh.c @@ -278,10 +278,16 @@ int main(int argc, char *argv[], char *envp[]) perror("unable to lower CAP_SYS_CHROOT"); exit(1); } + /* + * Given we are now in a new directory tree, its good practice + * to start off in a sane location + */ + status = chdir("/"); + cap_free(orig); if (status != 0) { - fprintf(stderr, "Unable to chroot to [%s]", argv[i]+9); + fprintf(stderr, "Unable to chroot/chdir to [%s]", argv[i]+9); exit(1); } } else if (!memcmp("--secbits=", argv[i], 10)) { diff --git a/progs/quicktest.sh b/progs/quicktest.sh index 5959da9..be3fa7d 100755 --- a/progs/quicktest.sh +++ b/progs/quicktest.sh @@ -21,6 +21,7 @@ fail_capsh () { echo -n "EXPECT FAILURE: " try_capsh "$@" if [ $? -eq 1 ]; then + echo "[WHICH MEANS A PASS!]" return 0 else echo "Undesired result - aborting" @@ -132,3 +133,8 @@ fi # Max lockdown pass_capsh --keep=1 --user=nobody --caps=cap_setpcap=ep \ --drop=all --secbits=0x2f --caps= --print + +# Verify we can chroot +pass_capsh --chroot=$(/bin/pwd) +pass_capsh --chroot=$(/bin/pwd) == +fail_capsh --chroot=$(/bin/pwd) -- -c "echo oops" |