From patchwork Wed Aug 26 23:26:43 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Etienne Champetier X-Patchwork-Id: 511113 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from arrakis.dune.hu (arrakis.dune.hu [78.24.191.176]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 005BA1401C7 for ; Thu, 27 Aug 2015 09:30:32 +1000 (AEST) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b=tw6gT/ui; dkim-atps=neutral Received: from arrakis.dune.hu (localhost [127.0.0.1]) by arrakis.dune.hu (Postfix) with ESMTP id 55C6928BEEC; Thu, 27 Aug 2015 01:27:15 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on arrakis.dune.hu X-Spam-Level: X-Spam-Status: No, score=-1.5 required=5.0 tests=BAYES_00,FREEMAIL_FROM, T_DKIM_INVALID autolearn=unavailable version=3.3.2 Received: from arrakis.dune.hu (localhost [127.0.0.1]) by arrakis.dune.hu (Postfix) with ESMTP id 92DD428BD86 for ; Thu, 27 Aug 2015 01:26:22 +0200 (CEST) X-policyd-weight: using cached result; rate: -8.5 Received: from mail-wi0-f177.google.com (mail-wi0-f177.google.com [209.85.212.177]) by arrakis.dune.hu (Postfix) with ESMTPS for ; Thu, 27 Aug 2015 01:26:14 +0200 (CEST) Received: by wijn1 with SMTP id n1so38897070wij.0 for ; Wed, 26 Aug 2015 16:27:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=/jEpTH0K2bZGQnR6I0OTFmsydYsHGKfIHR6c/yZmiWs=; b=tw6gT/uiX+MEvlQ9raaRxq5dnDf8nLv9uIatpjdYIhLSGrqxZmAvXmklt4Bo/0EULF pJJuuaN9kRBX49+uvQfhBfqTxADXIYr/OX1nWp7NaleClT/jaM9gUWxnME1lLuNFlRnH 9R1+NIeHCigTUuDFQWsE4WJVioBGvF79yT7irVGFCcEuvMB6CeagxOQQXLPMglG1qlGm ZC5ePUcCGZprkhk+U74+j8HzKcVGaGxNZRWcsQJ9ve/LCfMrQeqSoboYtrb0Y32D/BtF 6qO85nJlpJP5JWQuZk8g8Kif2I29Wd0f7O8K08NzG9abe6uB0USSPuOMbF156weUjj2O 5J6g== X-Received: by 10.180.99.170 with SMTP id er10mr15485387wib.65.1440631627615; Wed, 26 Aug 2015 16:27:07 -0700 (PDT) Received: from ubuntu1404.lxcnattst (ns623510.ovh.net. [5.135.134.9]) by smtp.gmail.com with ESMTPSA id lk16sm832035wic.6.2015.08.26.16.27.06 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 26 Aug 2015 16:27:06 -0700 (PDT) From: Etienne CHAMPETIER To: openwrt-devel@lists.openwrt.org Date: Wed, 26 Aug 2015 23:26:43 +0000 Message-Id: <1440631607-63520-4-git-send-email-champetier.etienne@gmail.com> X-Mailer: git-send-email 1.9.1 In-Reply-To: <1440631607-63520-1-git-send-email-champetier.etienne@gmail.com> References: <1440631607-63520-1-git-send-email-champetier.etienne@gmail.com> Subject: [OpenWrt-Devel] [PATCH procd v3 3/7] jail, seccomp: remove useless root check X-BeenThere: openwrt-devel@lists.openwrt.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OpenWrt Development List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openwrt-devel-bounces@lists.openwrt.org Sender: "openwrt-devel" prctl(PR_SET_NO_NEW_PRIVS, 1) is enough, we don't require CAP_SYS_ADMIN see https://www.kernel.org/doc/Documentation/prctl/seccomp_filter.txt https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt Signed-off-by: Etienne CHAMPETIER --- jail/preload.c | 6 ------ 1 file changed, 6 deletions(-) diff --git a/jail/preload.c b/jail/preload.c index 97ac44d..a1cc0b6 100644 --- a/jail/preload.c +++ b/jail/preload.c @@ -27,14 +27,8 @@ static main_t __main__; static int __preload_main__(int argc, char **argv, char **envp) { - uid_t uid = getuid(); char *env_file = getenv("SECCOMP_FILE"); - if (uid) { - INFO("preload-seccomp: %s: not root, cannot install seccomp filter\n", *argv); - return -1; - } - if (install_syscall_filter(*argv, env_file)) return -1;