diff options
author | Jamie Liu <jamieliu@google.com> | 2019-01-08 12:51:04 -0800 |
---|---|---|
committer | Shentubot <shentubot@google.com> | 2019-01-08 12:52:24 -0800 |
commit | f95b94fbe3e557b16ed2b78c87e8936c0aeab6c5 (patch) | |
tree | 2c8122e9eb8b4de70a90b938fb8911b3b5c24054 /pkg/sentry/kernel/auth | |
parent | 3f45878b7323697c82e06649144e2a4f39018a12 (diff) |
Grant no initial capabilities to non-root UIDs.
See modified comment in auth.NewUserCredentials(); compare to the
behavior of setresuid(2) as implemented by
//pkg/sentry/kernel/task_identity.go:kernel.Task.setKUIDsUncheckedLocked().
PiperOrigin-RevId: 228381765
Change-Id: I45238777c8f63fcf41b99fce3969caaf682fe408
Diffstat (limited to 'pkg/sentry/kernel/auth')
-rw-r--r-- | pkg/sentry/kernel/auth/credentials.go | 19 |
1 files changed, 12 insertions, 7 deletions
diff --git a/pkg/sentry/kernel/auth/credentials.go b/pkg/sentry/kernel/auth/credentials.go index de33f1953..a843b9aab 100644 --- a/pkg/sentry/kernel/auth/credentials.go +++ b/pkg/sentry/kernel/auth/credentials.go @@ -119,19 +119,24 @@ func NewUserCredentials(kuid KUID, kgid KGID, extraKGIDs []KGID, capabilities *T // Set additional GIDs. creds.ExtraKGIDs = append(creds.ExtraKGIDs, extraKGIDs...) - // Set capabilities. If capabilities aren't specified, we default to - // all capabilities. + // Set capabilities. if capabilities != nil { creds.PermittedCaps = capabilities.PermittedCaps creds.EffectiveCaps = capabilities.EffectiveCaps creds.BoundingCaps = capabilities.BoundingCaps creds.InheritableCaps = capabilities.InheritableCaps - // // TODO: Support ambient capabilities. + // TODO: Support ambient capabilities. } else { - // If no capabilities are specified, grant the same capabilities - // that NewRootCredentials does. - creds.PermittedCaps = AllCapabilities - creds.EffectiveCaps = AllCapabilities + // If no capabilities are specified, grant capabilities consistent with + // setresuid + setresgid from NewRootCredentials to the given uid and + // gid. + if kuid == RootKUID { + creds.PermittedCaps = AllCapabilities + creds.EffectiveCaps = AllCapabilities + } else { + creds.PermittedCaps = 0 + creds.EffectiveCaps = 0 + } creds.BoundingCaps = AllCapabilities } |