-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathprctl.c
53 lines (45 loc) · 1.24 KB
/
prctl.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
#include "contain.h"
#include <sys/prctl.h>
#include <linux/securebits.h>
#include <argp.h>
static struct argp_option prctl_options[] = {
{"noroot", 'r', 0, 0,
"Setuid root does not grant capabilities", 0},
{"nonewprivs", 1070, 0, 0,
"No new privileges that can be granted via execve", 0},
{NULL, 0, 0, 0, NULL, 0 },
};
static bool noroot = false;
static bool nonewprivs = false;
static error_t parse_prctl_opt(int key, char *arg, struct argp_state *state)
{
(void)state;
(void)arg;
switch(key) {
case 'r':
noroot = true;
break;
case 1070:
nonewprivs = true;
break;
default:
return ARGP_ERR_UNKNOWN;
}
return 0;
}
struct argp prctl_argp = {
prctl_options, parse_prctl_opt, "", "Process flags", 0, 0, 0 };
int do_prctl(void)
{
int securebits = 0;
if (noroot) {
securebits |= SECBIT_KEEP_CAPS_LOCKED
| SECBIT_NO_SETUID_FIXUP | SECBIT_NO_SETUID_FIXUP_LOCKED
| SECBIT_NOROOT | SECBIT_NOROOT_LOCKED;
if (prctl(PR_SET_SECUREBITS, securebits, 0, 0, 0) == -1)
return -1;
}
if (nonewprivs && prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == -1)
return -1;
return 0;
}