commit e7e83520b4e197fdc823efc7efcbfdbbaf3a8c06
parent 1d72bd8090214a1879165c73c8c42f4bf1aa202d
Author: Jan Pobrislo <ccx@te2000.cz>
Date: Sat, 17 May 2025 16:09:22 +0000
Use applyuidgid-caps instead of s6-applyuidgid everywhere.
It gives us benefit of prctl on SECBIT_NOROOT|SECBIT_NOROOT_LOCKED
preventing any kind of suid/sgid/filecaps use for privilege gain.
Diffstat:
5 files changed, 10 insertions(+), 10 deletions(-)
diff --git a/sbin/container_sysroot_run b/sbin/container_sysroot_run
@@ -41,7 +41,7 @@ if { chown ${CONTAINER_USER}:${CONTAINER_USER} ${CONTAINER_TMPFS}/run/resolv.con
unshare -m -u -i # new mount, UTS and IPC namespaces
if { mount -a -T data/fstab }
-# Put UID/GID/GIDLIST into environment for use by s6-applyuidgid below
+# Put UID/GID/GIDLIST into environment for use by applyuidgid-caps below
s6-envuidgid ${CONTAINER_USER}
env
@@ -51,5 +51,5 @@ emptyenv -c
export NS_NO_PID1 1
pidns_run
ns_run_unshared data/root { }
-/mnt/ns/bin/s6-applyuidgid -U
+/mnt/ns/bin/applyuidgid-caps -U ""
$@
diff --git a/service_scripts/alsa/run b/service_scripts/alsa/run
@@ -34,7 +34,7 @@ if { chown root:${CONTAINER_USER} ${CONTAINER_TMPFS}/${tmpfs_dirs} }
if { redirfd -w 1 ${CONTAINER_TMPFS}/run/resolv.conf printf "nameserver 127.0.0.1\n" }
if { chown ${CONTAINER_USER}:${CONTAINER_USER} ${CONTAINER_TMPFS}/run/resolv.conf }
-# Put UID/GID/GIDLIST into environment for use by s6-applyuidgid below
+# Put UID/GID/GIDLIST into environment for use by applyuidgid-caps below
s6-envuidgid ${CONTAINER_USER}
unshare -m -u -i # new mount, UTS and IPC namespaces
@@ -45,7 +45,7 @@ if { mount -a -T data/fstab }
if {
ifelse { test -x ${CONTAINER_USER_HOME}/container-setup } {
env HOME=${CONTAINER_USER_HOME} USER=${CONTAINER_USER}
- s6-applyuidgid -U
+ applyuidgid-caps -U ""
${CONTAINER_USER_HOME}/container-setup ${CONTAINER_TMPFS} ${CONTAINER_NAME}
}
}
diff --git a/service_scripts/generic/run b/service_scripts/generic/run
@@ -42,7 +42,7 @@ if { chown root:${CONTAINER_USER} ${CONTAINER_TMPFS}/${tmpfs_dirs} }
if { redirfd -w 1 ${CONTAINER_TMPFS}/run/resolv.conf printf "nameserver 127.0.0.1\n" }
if { chown ${CONTAINER_USER}:${CONTAINER_USER} ${CONTAINER_TMPFS}/run/resolv.conf }
-# Put UID/GID/GIDLIST into environment for use by s6-applyuidgid below
+# Put UID/GID/GIDLIST into environment for use by applyuidgid-caps below
s6-envuidgid ${CONTAINER_USER}
unshare -m -u -i # new mount, UTS and IPC namespaces
@@ -53,7 +53,7 @@ $PID1_EXEC
if {
ifelse { test -x ${CONTAINER_USER_HOME}/container-setup } {
env HOME=${CONTAINER_USER_HOME} USER=${CONTAINER_USER}
- s6-applyuidgid -U
+ applyuidgid-caps -U ""
${CONTAINER_USER_HOME}/container-setup ${CONTAINER_TMPFS} ${CONTAINER_NAME}
}
}
diff --git a/service_scripts/sysroot/run b/service_scripts/sysroot/run
@@ -36,13 +36,13 @@ if { chown ${CONTAINER_USER}:${CONTAINER_USER} ${CONTAINER_TMPFS}/run/resolv.con
unshare -m -u -i # new mount, UTS and IPC namespaces
if { mount -a -T data/fstab }
-# Put UID/GID/GIDLIST into environment for use by s6-applyuidgid below
+# Put UID/GID/GIDLIST into environment for use by applyuidgid-caps below
s6-envuidgid ${CONTAINER_USER}
# Run user's script to populate /home /run and/or /tmp
if {
env HOME=${CONTAINER_USER_HOME}
- s6-applyuidgid -U
+ applyuidgid-caps -U ""
backtick -E CONTAINER_ROOT { s6-linkname data/root }
confz container_sysroot_rundir
container_root=${CONTAINER_ROOT}
@@ -55,6 +55,6 @@ env
emptyenv -c
ns_run_unshared data/root { }
-/mnt/ns/bin/s6-applyuidgid -U
+/mnt/ns/bin/applyuidgid-caps -U ""
env HOME=/root
/run/init
diff --git a/service_scripts/xsession/run b/service_scripts/xsession/run
@@ -31,7 +31,7 @@ if { mkdir -p ${CONTAINER_TMPFS}/${tmpfs_dirs} ${CONTAINER_TMPFS}/mnt/${CONTAINE
if { chmod 1770 ${CONTAINER_TMPFS}/${tmpfs_dirs} }
if { chown root:${CONTAINER_USER} ${CONTAINER_TMPFS}/${tmpfs_dirs} }
-# Put UID/GID/GIDLIST into environment for use by s6-applyuidgid below
+# Put UID/GID/GIDLIST into environment for use by applyuidgid-caps below
s6-envuidgid ${CONTAINER_USER}
unshare -m -u -i # new mount, UTS and IPC namespaces
