From 123f234aa42e3d57bb13de7206d25108c739e059 Mon Sep 17 00:00:00 2001
From: Colin Walters <walters@verbum.org>
Date: Tue, 25 Aug 2015 18:23:30 -0400
Subject: Drop use of SECBIT_NOROOT, hard require PR_SET_NO_NEW_PRIVS

So sadly, I screwed up the invocation of `prctl(PR_SET_NO_NEW_PRIVS` -
we need to provide 0 for the remaining arguments, otherwise the
kernel will *always* give us `-EINVAL`.

I didn't notice this at the time because I wanted to support the RHEL6
kernel.  Anyways, I no longer care about RHEL6 myself, and I'm going
to declare no one else should either =)
---
 src/linux-user-chroot.c | 21 +++++++--------------
 1 file changed, 7 insertions(+), 14 deletions(-)

(limited to 'src')

diff --git a/src/linux-user-chroot.c b/src/linux-user-chroot.c
index 8b8700d..42bbae2 100644
--- a/src/linux-user-chroot.c
+++ b/src/linux-user-chroot.c
@@ -8,7 +8,7 @@
  * distribution, allow privilege escalation.  See the README for more
  * details.
  *
- * Copyright 2011,2012 Colin Walters <walters@verbum.org>
+ * Copyright 2011,2012,2015 Colin Walters <walters@verbum.org>
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -43,12 +43,6 @@
 #include <sys/syscall.h>
 #include <sys/wait.h>
 #include <sched.h>
-#ifdef HAVE_LINUX_SECUREBITS_H
-#include <linux/securebits.h>
-#else
-#define SECBIT_NOROOT (1 << 0)
-#define SECBIT_NOROOT_LOCKED (1 << 1)
-#endif
 
 #ifndef PR_SET_NO_NEW_PRIVS
 #define PR_SET_NO_NEW_PRIVS	38
@@ -319,16 +313,15 @@ main (int      argc,
        *
        * http://lwn.net/Articles/504879/
        *
-       * If that's not available, we fall back to using SECBIT_NOROOT.
-       *
        * Following the belt-and-suspenders model, we also make a
-       * MS_NOSUID bind mount below.
+       * MS_NOSUID bind mount below.  I don't think this is strictly
+       * necessary, but at least we doubly ensure we're not going to
+       * be executing any setuid binaries from the host's /.  It
+       * doesn't help if there are any other mount points with setuid
+       * binaries, but `PR_SET_NO_NEW_PRIVS` fixes that.
        */
-      if (prctl (PR_SET_NO_NEW_PRIVS, 1) < 0 && errno != EINVAL)
+      if (prctl (PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0)
         fatal_errno ("prctl (PR_SET_NO_NEW_PRIVS)");
-      else if (prctl (PR_SET_SECUREBITS,
-                 SECBIT_NOROOT | SECBIT_NOROOT_LOCKED) < 0)
-        fatal_errno ("prctl (SECBIT_NOROOT)");
 
       /* This is necessary to undo the damage "sandbox" creates on Fedora
        * by making / a shared mount instead of private.  This isn't
-- 
cgit v1.2.1