From d72a1e7bb96b461eb47d921436f7fe344e7b268a Mon Sep 17 00:00:00 2001 From: David Gibson Date: Mon, 12 Sep 2022 22:24:03 +1000 Subject: Move self-isolation code into a separate file passt/pasta contains a number of routines designed to isolate passt from the rest of the system for security. These are spread through util.c and passt.c. Move them together into a new isolation.c file. Signed-off-by: David Gibson --- util.c | 51 --------------------------------------------------- 1 file changed, 51 deletions(-) (limited to 'util.c') diff --git a/util.c b/util.c index ce88aee..f709838 100644 --- a/util.c +++ b/util.c @@ -13,30 +13,17 @@ */ #include -#include -#include -#include #include #include #include #include -#include -#include -#include #include -#include -#include -#include #include #include #include #include #include #include -#include -#include - -#include #include "util.h" #include "passt.h" @@ -467,44 +454,6 @@ void procfs_scan_listen(struct ctx *c, uint8_t proto, int ip_version, int ns, } } -/** - * drop_caps() - Drop capabilities we might have except for CAP_NET_BIND_SERVICE - */ -void drop_caps(void) -{ - int i; - - for (i = 0; i < 64; i++) { - if (i == CAP_NET_BIND_SERVICE) - continue; - - prctl(PR_CAPBSET_DROP, i, 0, 0, 0); - } -} - -/** - * drop_root() - Switch to given UID and GID - * @uid: User ID to switch to - * @gid: Group ID to switch to - */ -void drop_root(uid_t uid, gid_t gid) -{ - if (setgroups(0, NULL)) { - /* If we don't start with CAP_SETGID, this will EPERM */ - if (errno != EPERM) { - err("Can't drop supplementary groups: %s", - strerror(errno)); - exit(EXIT_FAILURE); - } - } - - if (!setgid(gid) && !setuid(uid)) - return; - - err("Can't change user/group, exiting"); - exit(EXIT_FAILURE); -} - /** * ns_enter() - Enter configured user (unless already joined) and network ns * @c: Execution context -- cgit v1.2.3