From 9f1724ad1e85eac0c64619576d8dfb832e1a688b Mon Sep 17 00:00:00 2001
From: Stefano Brivio <sbrivio@redhat.com>
Date: Thu, 14 Oct 2021 02:47:03 +0200
Subject: passt: Drop all capabilities that we might have, except for
 CAP_NET_BIND_SERVICE

While it's not recommended to give passt any capability, drop all the
ones we might have got by mistake, except for the only sensible one,
CAP_NET_BIND_SERVICE.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
---
 passt.c | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

(limited to 'passt.c')

diff --git a/passt.c b/passt.c
index e8f4e62..9b55260 100644
--- a/passt.c
+++ b/passt.c
@@ -55,6 +55,7 @@
 #include <sys/prctl.h>
 #include <linux/filter.h>
 #include <stddef.h>
+#include <linux/capability.h>
 
 #include "seccomp.h"
 #include "util.h"
@@ -185,6 +186,21 @@ static void seccomp(struct ctx *c)
 	}
 }
 
+/**
+ * drop_caps() - Drop capabilities we might have except for CAP_NET_BIND_SERVICE
+ */
+static void drop_caps(void)
+{
+	int i;
+
+	for (i = 0; i < 64; i++) {
+		if (i == CAP_NET_BIND_SERVICE)
+			continue;
+
+		prctl(PR_CAPBSET_DROP, i, 0, 0, 0);
+	}
+}
+
 /**
  * main() - Entry point and main loop
  * @argc:	Argument count
@@ -207,6 +223,8 @@ int main(int argc, char **argv)
 	char *log_name;
 	int nfds, i;
 
+	drop_caps();
+
 	if (strstr(argv[0], "pasta") || strstr(argv[0], "passt4netns")) {
 		struct sigaction sa;
 
-- 
cgit v1.2.3