From: Christian Brauner <christian.brauner@canonical.com>
Date: Thu, 1 Sep 2016 23:40:39 +0000 (+0200)
Subject: start: set PR_SET_NO_NEW_PRIVS when requested
X-Git-Tag: lxc-2.1.0~325^2~6
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=029cdff5822b155245df6355e1a774ceb4f415f7;p=thirdparty%2Flxc.git

start: set PR_SET_NO_NEW_PRIVS when requested

Set no_new_privs after setting the lsm label. If we do set it before we aren't
allowed to change the label anymore.

Signed-off-by: Christian Brauner <christian.brauner@canonical.com>
---

diff --git a/src/lxc/start.c b/src/lxc/start.c
index 2411626de..bcc2e5ee9 100644
--- a/src/lxc/start.c
+++ b/src/lxc/start.c
@@ -850,6 +850,16 @@ static int do_start(void *data)
 	if (lsm_process_label_set(NULL, handler->conf, 1, 1) < 0)
 		goto out_warn_father;
 
+	/* Set PR_SET_NO_NEW_PRIVS after we changed the lsm label. If we do it
+	 * before we aren't allowed anymore. */
+	if (handler->conf->no_new_privs) {
+		if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0) {
+			SYSERROR("Could not set PR_SET_NO_NEW_PRIVS to block execve() gainable privileges.");
+			goto out_warn_father;
+		}
+		DEBUG("Set PR_SET_NO_NEW_PRIVS to block execve() gainable privileges.");
+	}
+
 	/* Some init's such as busybox will set sane tty settings on stdin,
 	 * stdout, stderr which it thinks is the console. We already set them
 	 * the way we wanted on the real terminal, and we want init to do its