summaryrefslogtreecommitdiffhomepage
path: root/pkg
diff options
context:
space:
mode:
authorJamie Liu <jamieliu@google.com>2019-01-08 12:51:04 -0800
committerShentubot <shentubot@google.com>2019-01-08 12:52:24 -0800
commitf95b94fbe3e557b16ed2b78c87e8936c0aeab6c5 (patch)
tree2c8122e9eb8b4de70a90b938fb8911b3b5c24054 /pkg
parent3f45878b7323697c82e06649144e2a4f39018a12 (diff)
Grant no initial capabilities to non-root UIDs.
See modified comment in auth.NewUserCredentials(); compare to the behavior of setresuid(2) as implemented by //pkg/sentry/kernel/task_identity.go:kernel.Task.setKUIDsUncheckedLocked(). PiperOrigin-RevId: 228381765 Change-Id: I45238777c8f63fcf41b99fce3969caaf682fe408
Diffstat (limited to 'pkg')
-rw-r--r--pkg/sentry/kernel/auth/credentials.go19
1 files changed, 12 insertions, 7 deletions
diff --git a/pkg/sentry/kernel/auth/credentials.go b/pkg/sentry/kernel/auth/credentials.go
index de33f1953..a843b9aab 100644
--- a/pkg/sentry/kernel/auth/credentials.go
+++ b/pkg/sentry/kernel/auth/credentials.go
@@ -119,19 +119,24 @@ func NewUserCredentials(kuid KUID, kgid KGID, extraKGIDs []KGID, capabilities *T
// Set additional GIDs.
creds.ExtraKGIDs = append(creds.ExtraKGIDs, extraKGIDs...)
- // Set capabilities. If capabilities aren't specified, we default to
- // all capabilities.
+ // Set capabilities.
if capabilities != nil {
creds.PermittedCaps = capabilities.PermittedCaps
creds.EffectiveCaps = capabilities.EffectiveCaps
creds.BoundingCaps = capabilities.BoundingCaps
creds.InheritableCaps = capabilities.InheritableCaps
- // // TODO: Support ambient capabilities.
+ // TODO: Support ambient capabilities.
} else {
- // If no capabilities are specified, grant the same capabilities
- // that NewRootCredentials does.
- creds.PermittedCaps = AllCapabilities
- creds.EffectiveCaps = AllCapabilities
+ // If no capabilities are specified, grant capabilities consistent with
+ // setresuid + setresgid from NewRootCredentials to the given uid and
+ // gid.
+ if kuid == RootKUID {
+ creds.PermittedCaps = AllCapabilities
+ creds.EffectiveCaps = AllCapabilities
+ } else {
+ creds.PermittedCaps = 0
+ creds.EffectiveCaps = 0
+ }
creds.BoundingCaps = AllCapabilities
}