Implement dumpability tracking and checks

We don't actually support core dumps, but some applications want to get/set dumpability, which still has an effect in procfs. Lack of support for set-uid binaries or fs creds simplifies things a bit. As-is, processes started via CreateProcess (i.e., init and sentryctl exec) have normal dumpability. I'm a bit torn on whether sentryctl exec tasks should be dumpable, but at least since they have no parent normal UID/GID checks should protect them. PiperOrigin-RevId: 251712714
author: Michael Pratt <mpratt@google.com> 2019-06-05 13:59:01 -0700
committer: Shentubot <shentubot@google.com> 2019-06-05 14:00:13 -0700
commit: d3ed9baac0dc967eaf6d3e3f986cafe60604121a (patch)
tree: 47121539775297207ba205b60b136c9093d5d393 /pkg/abi
parent: cecb71dc37a77d8e4e88cdfada92a37a72c67602 (diff)
1 files changed, 7 insertions, 0 deletions
diff --git a/pkg/abi/linux/prctl.go b/pkg/abi/linux/prctl.go
index 0428282dd..391cfaa1c 100644
--- a/pkg/abi/linux/prctl.go
+++ b/pkg/abi/linux/prctl.go
@@ -155,3 +155,10 @@ const (
 	ARCH_GET_GS    = 0x1004
 	ARCH_SET_CPUID = 0x1012
 )
+
+// Flags for prctl(PR_SET_DUMPABLE), defined in include/linux/sched/coredump.h.
+const (
+	SUID_DUMP_DISABLE = 0
+	SUID_DUMP_USER    = 1
+	SUID_DUMP_ROOT    = 2
+)
author	Michael Pratt <mpratt@google.com>	2019-06-05 13:59:01 -0700
committer	Shentubot <shentubot@google.com>	2019-06-05 14:00:13 -0700
commit	d3ed9baac0dc967eaf6d3e3f986cafe60604121a (patch)
tree	47121539775297207ba205b60b136c9093d5d393 /pkg/abi
parent	cecb71dc37a77d8e4e88cdfada92a37a72c67602 (diff)