From 3192c6636c7492a6a1ed5650f8368464fac040e4 Mon Sep 17 00:00:00 2001 From: Arfrever Frehtes Taifersar Arahesis Date: Mon, 21 Jan 2019 17:14:03 +0100 Subject: [PATCH] pid-ns-init: Drop permissions only for subprocess of pid-ns-init but not pid-ns-init itself With FEATURES="pid-sandbox userpriv", pid-ns-init should be run with unchanged permissions (usually UID=0, GID=0). Bug: https://bugs.gentoo.org/675868 Signed-off-by: Arfrever Frehtes Taifersar Arahesis --- bin/pid-ns-init | 26 +++++++++++++++++++++++--- lib/portage/process.py | 12 ++++++++++-- 2 files changed, 33 insertions(+), 5 deletions(-) diff --git a/bin/pid-ns-init b/bin/pid-ns-init index f9b8cc4f3..d66a8d510 100644 --- a/bin/pid-ns-init +++ b/bin/pid-ns-init @@ -39,7 +39,7 @@ def forward_kill_signal(main_child_pid, signum, frame): def main(argv): if len(argv) < 2: - return 'Usage: {} or [arg]..'.format(argv[0]) + return 'Usage: {} or [arg]..'.format(argv[0]) if len(argv) == 2: # The child process is init (pid 1) in a child pid namespace, and @@ -50,13 +50,33 @@ def main(argv): proc = None else: # The current process is init (pid 1) in a child pid namespace. - pass_fds, binary, args = tuple(int(fd) for fd in argv[1].split(',')), argv[2], argv[3:] + uid, gid, groups, umask, pass_fds, binary, args = argv[1], argv[2], argv[3], argv[4], tuple(int(fd) for fd in argv[5].split(',')), argv[6], argv[7:] + if uid: + uid = int(uid) + if gid: + gid = int(gid) + if groups: + groups = tuple(int(group) for group in groups.split(',')) + if umask: + umask = int(umask) + + def preexec(): + if gid: + os.setgid(gid) + if groups: + os.setgroups(groups) + if uid: + os.setuid(uid) + if umask: + os.umask(umask) + if signal_disposition_preexec is not None: + signal_disposition_preexec() popen_kwargs = {} if sys.version_info.major > 2: popen_kwargs['pass_fds'] = pass_fds proc = subprocess.Popen(args, executable=binary, - preexec_fn=signal_disposition_preexec, **popen_kwargs) + preexec_fn=preexec, **popen_kwargs) main_child_pid = proc.pid sig_handler = functools.partial(forward_kill_signal, main_child_pid) diff --git a/lib/portage/process.py b/lib/portage/process.py index dd3d58ddc..86b25226f 100644 --- a/lib/portage/process.py +++ b/lib/portage/process.py @@ -1,5 +1,5 @@ # portage.py -- core Portage functionality -# Copyright 1998-2018 Gentoo Authors +# Copyright 1998-2019 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 @@ -467,7 +467,7 @@ def _exec(binary, mycommand, opt_name, fd_pipes, @param gid: Group ID to run the process under @type gid: Integer @param groups: Groups the Process should be in. - @type groups: Integer + @type groups: List @param uid: User ID to run the process under @type uid: Integer @param umask: an int representing a unix umask (see man chmod for umask details) @@ -571,8 +571,16 @@ def _exec(binary, mycommand, opt_name, fd_pipes, portage._python_interpreter, os.path.join(portage._bin_path, 'pid-ns-init'), + _unicode_encode(str(uid) if uid is not None else ''), + _unicode_encode(str(gid) if gid is not None else ''), + _unicode_encode(','.join(str(group) for group in groups) if groups is not None else ''), + _unicode_encode(str(umask) if umask is not None else ''), _unicode_encode(','.join(str(fd) for fd in fd_pipes)), binary] + myargs + uid = None + gid = None + groups = None + umask = None else: # Execute a supervisor process which will forward # signals to init and forward exit status to the -- 2.20.1