aboutgitcodebugslistschat
path: root/isolation.c
diff options
context:
space:
mode:
Diffstat (limited to 'isolation.c')
-rw-r--r--isolation.c67
1 files changed, 23 insertions, 44 deletions
diff --git a/isolation.c b/isolation.c
index 4e6637d..6bae4d4 100644
--- a/isolation.c
+++ b/isolation.c
@@ -103,10 +103,8 @@ static void drop_caps_ep_except(uint64_t keep)
struct __user_cap_data_struct data[CAP_WORDS];
int i;
- if (syscall(SYS_capget, &hdr, data)) {
- err("Couldn't get current capabilities: %s", strerror(errno));
- exit(EXIT_FAILURE);
- }
+ if (syscall(SYS_capget, &hdr, data))
+ die("Couldn't get current capabilities: %s", strerror(errno));
for (i = 0; i < CAP_WORDS; i++) {
uint32_t mask = keep >> (32 * i);
@@ -115,10 +113,8 @@ static void drop_caps_ep_except(uint64_t keep)
data[i].permitted &= mask;
}
- if (syscall(SYS_capset, &hdr, data)) {
- err("Couldn't drop capabilities: %s", strerror(errno));
- exit(EXIT_FAILURE);
- }
+ if (syscall(SYS_capset, &hdr, data))
+ die("Couldn't drop capabilities: %s", strerror(errno));
}
/**
@@ -154,26 +150,20 @@ static void clamp_caps(void)
* normal operation, so carry on without it.
*/
if (prctl(PR_CAPBSET_DROP, i, 0, 0, 0) &&
- errno != EINVAL && errno != EPERM) {
- err("Couldn't drop cap %i from bounding set: %s",
+ errno != EINVAL && errno != EPERM)
+ die("Couldn't drop cap %i from bounding set: %s",
i, strerror(errno));
- exit(EXIT_FAILURE);
- }
}
- if (syscall(SYS_capget, &hdr, data)) {
- err("Couldn't get current capabilities: %s", strerror(errno));
- exit(EXIT_FAILURE);
- }
+ if (syscall(SYS_capget, &hdr, data))
+ die("Couldn't get current capabilities: %s", strerror(errno));
for (i = 0; i < CAP_WORDS; i++)
data[i].inheritable = 0;
- if (syscall(SYS_capset, &hdr, data)) {
- err("Couldn't drop inheritable capabilities: %s",
+ if (syscall(SYS_capset, &hdr, data))
+ die("Couldn't drop inheritable capabilities: %s",
strerror(errno));
- exit(EXIT_FAILURE);
- }
}
/**
@@ -229,46 +219,35 @@ void isolate_user(uid_t uid, gid_t gid, bool use_userns, const char *userns,
/* First set our UID & GID in the original namespace */
if (setgroups(0, NULL)) {
/* If we don't have CAP_SETGID, this will EPERM */
- if (errno != EPERM) {
- err("Can't drop supplementary groups: %s",
+ if (errno != EPERM)
+ die("Can't drop supplementary groups: %s",
strerror(errno));
- exit(EXIT_FAILURE);
- }
}
- if (setgid(gid) != 0) {
- err("Can't set GID to %u: %s", gid, strerror(errno));
- exit(EXIT_FAILURE);
- }
+ if (setgid(gid) != 0)
+ die("Can't set GID to %u: %s", gid, strerror(errno));
- if (setuid(uid) != 0) {
- err("Can't set UID to %u: %s", uid, strerror(errno));
- exit(EXIT_FAILURE);
- }
+ if (setuid(uid) != 0)
+ die("Can't set UID to %u: %s", uid, strerror(errno));
if (*userns) { /* If given a userns, join it */
int ufd;
ufd = open(userns, O_RDONLY | O_CLOEXEC);
- if (ufd < 0) {
- err("Couldn't open user namespace %s: %s",
+ if (ufd < 0)
+ die("Couldn't open user namespace %s: %s",
userns, strerror(errno));
- exit(EXIT_FAILURE);
- }
- if (setns(ufd, CLONE_NEWUSER) != 0) {
- err("Couldn't enter user namespace %s: %s",
+ if (setns(ufd, CLONE_NEWUSER) != 0)
+ die("Couldn't enter user namespace %s: %s",
userns, strerror(errno));
- exit(EXIT_FAILURE);
- }
close(ufd);
} else if (use_userns) { /* Create and join a new userns */
- if (unshare(CLONE_NEWUSER) != 0) {
- err("Couldn't create user namespace: %s", strerror(errno));
- exit(EXIT_FAILURE);
- }
+ if (unshare(CLONE_NEWUSER) != 0)
+ die("Couldn't create user namespace: %s",
+ strerror(errno));
}
/* Joining a new userns gives us full capabilities; drop the