From patchwork Tue Aug 25 23:00:41 2015
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Etienne Champetier <champetier.etienne@gmail.com>
X-Patchwork-Id: 510664
Return-Path: <openwrt-devel-bounces@lists.openwrt.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from arrakis.dune.hu (arrakis.dune.hu [78.24.191.176])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 07D611401AD
	for <incoming@patchwork.ozlabs.org>;
	Wed, 26 Aug 2015 09:03:57 +1000 (AEST)
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
	unprotected) header.d=gmail.com header.i=@gmail.com header.b=ZXEBpdrS;
	dkim-atps=neutral
Received: from arrakis.dune.hu (localhost [127.0.0.1])
	by arrakis.dune.hu (Postfix) with ESMTP id 8DC8128BF8A;
	Wed, 26 Aug 2015 01:01:02 +0200 (CEST)
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on arrakis.dune.hu
X-Spam-Level: 
X-Spam-Status: No, score=-1.5 required=5.0 tests=BAYES_00,FREEMAIL_FROM,
	T_DKIM_INVALID autolearn=unavailable version=3.3.2
Received: from arrakis.dune.hu (localhost [127.0.0.1])
	by arrakis.dune.hu (Postfix) with ESMTP id 1DA9A28BEC2
	for <openwrt-devel@lists.openwrt.org>;
	Wed, 26 Aug 2015 01:00:43 +0200 (CEST)
X-policyd-weight: using cached result; rate:hard: -8.5
Received: from mail-wi0-f174.google.com (mail-wi0-f174.google.com
	[209.85.212.174]) by arrakis.dune.hu (Postfix) with ESMTPS
	for <openwrt-devel@lists.openwrt.org>;
	Wed, 26 Aug 2015 01:00:28 +0200 (CEST)
Received: by wicja10 with SMTP id ja10so28099354wic.1
	for <openwrt-devel@lists.openwrt.org>;
	Tue, 25 Aug 2015 16:01:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
	h=from:to:cc:subject:date:message-id:in-reply-to:references;
	bh=/jEpTH0K2bZGQnR6I0OTFmsydYsHGKfIHR6c/yZmiWs=;
	b=ZXEBpdrS4Pr8wQma8LOvf/EdXFeKL3A1p3aH/5HIJLlFFeq7AGgGgXUAVyaO5qhPTJ
	NDEdGHSd3ip5MexYEbuiExSFsAEURxcQa4jz2av9KetXHo9nj6WFLXTNABe9g7T27kQH
	T1e2QdxEleu4q8M3AoN0pf96XHjbhAOQDsL8MED30hPD0W/w7dchB8ryYGaXI5Yn7QGp
	m4uFwhymiJKUn1ZeB4mrZLs2qeBidEuQ/bklbpct9u00lMyAcFPdSPHSPpYwHaaSW8Ic
	jBTSq199fx2xxnAMC6fTtKC5y1nFYOgeXz2+YsmR1R4j8Y6HJ26a/aZgVJ2hE+llB7jL
	Ruiw==
X-Received: by 10.194.52.105 with SMTP id s9mr53982216wjo.53.1440543681453;
	Tue, 25 Aug 2015 16:01:21 -0700 (PDT)
Received: from ubuntu1404.lxcnattst (ns623510.ovh.net. [5.135.134.9])
	by smtp.gmail.com with ESMTPSA id
	o3sm989177wjx.16.2015.08.25.16.01.20
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
	Tue, 25 Aug 2015 16:01:20 -0700 (PDT)
From: Etienne CHAMPETIER <champetier.etienne@gmail.com>
To: openwrt-devel@lists.openwrt.org,
	John Crispin <blogic@openwrt.org>
Date: Tue, 25 Aug 2015 23:00:41 +0000
Message-Id: <1440543643-43546-4-git-send-email-champetier.etienne@gmail.com>
X-Mailer: git-send-email 1.9.1
In-Reply-To: <1440543643-43546-1-git-send-email-champetier.etienne@gmail.com>
References: <1440543643-43546-1-git-send-email-champetier.etienne@gmail.com>
Subject: [OpenWrt-Devel] [PATCH procd v2 3/5] jail,
	seccomp: remove useless root check
X-BeenThere: openwrt-devel@lists.openwrt.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OpenWrt Development List <openwrt-devel.lists.openwrt.org>
List-Unsubscribe: 
 <https://lists.openwrt.org/cgi-bin/mailman/options/openwrt-devel>,
	<mailto:openwrt-devel-request@lists.openwrt.org?subject=unsubscribe>
List-Archive: <http://lists.openwrt.org/pipermail/openwrt-devel/>
List-Post: <mailto:openwrt-devel@lists.openwrt.org>
List-Help: <mailto:openwrt-devel-request@lists.openwrt.org?subject=help>
List-Subscribe: 
 <https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel>,
	<mailto:openwrt-devel-request@lists.openwrt.org?subject=subscribe>
MIME-Version: 1.0
Errors-To: openwrt-devel-bounces@lists.openwrt.org
Sender: "openwrt-devel" <openwrt-devel-bounces@lists.openwrt.org>

prctl(PR_SET_NO_NEW_PRIVS, 1) is enough, we don't require CAP_SYS_ADMIN
see
https://www.kernel.org/doc/Documentation/prctl/seccomp_filter.txt
https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt

Signed-off-by: Etienne CHAMPETIER <champetier.etienne@gmail.com>
---
 jail/preload.c | 6 ------
 1 file changed, 6 deletions(-)

diff --git a/jail/preload.c b/jail/preload.c
index 97ac44d..a1cc0b6 100644
--- a/jail/preload.c
+++ b/jail/preload.c
@@ -27,14 +27,8 @@ static main_t __main__;
 
 static int __preload_main__(int argc, char **argv, char **envp)
 {
-	uid_t uid = getuid();
 	char *env_file = getenv("SECCOMP_FILE");
 
-	if (uid) {
-		INFO("preload-seccomp: %s: not root, cannot install seccomp filter\n", *argv);
-		return -1;
-	}
-
 	if (install_syscall_filter(*argv, env_file))
 		return -1;