From cd408b3a5685df53d41a283145b9fc61e8f224c1 Mon Sep 17 00:00:00 2001 From: Alexander Larsson Date: Thu, 13 Oct 2016 14:03:02 +0200 Subject: [PATCH 1/2] Move commandline args to top of the file This way we can access these from all the functions. --- bubblewrap.c | 37 ++++++++++++++++++------------------- 1 file changed, 18 insertions(+), 19 deletions(-) diff --git a/bubblewrap.c b/bubblewrap.c index f459af43..bff1c043 100644 --- a/bubblewrap.c +++ b/bubblewrap.c @@ -51,6 +51,24 @@ static int proc_fd = -1; static char *opt_exec_label = NULL; static char *opt_file_label = NULL; +char *opt_chdir_path = NULL; +bool opt_unshare_user = FALSE; +bool opt_unshare_user_try = FALSE; +bool opt_unshare_pid = FALSE; +bool opt_unshare_ipc = FALSE; +bool opt_unshare_net = FALSE; +bool opt_unshare_uts = FALSE; +bool opt_unshare_cgroup = FALSE; +bool opt_unshare_cgroup_try = FALSE; +bool opt_needs_devpts = FALSE; +uid_t opt_sandbox_uid = -1; +gid_t opt_sandbox_gid = -1; +int opt_sync_fd = -1; +int opt_block_fd = -1; +int opt_info_fd = -1; +int opt_seccomp_fd = -1; +char *opt_sandbox_hostname = NULL; + typedef enum { SETUP_BIND_MOUNT, SETUP_RO_BIND_MOUNT, @@ -892,25 +910,6 @@ read_priv_sec_op (int read_socket, return op->op; } -char *opt_chdir_path = NULL; -bool opt_unshare_user = FALSE; -bool opt_unshare_user_try = FALSE; -bool opt_unshare_pid = FALSE; -bool opt_unshare_ipc = FALSE; -bool opt_unshare_net = FALSE; -bool opt_unshare_uts = FALSE; -bool opt_unshare_cgroup = FALSE; -bool opt_unshare_cgroup_try = FALSE; -bool opt_needs_devpts = FALSE; -uid_t opt_sandbox_uid = -1; -gid_t opt_sandbox_gid = -1; -int opt_sync_fd = -1; -int opt_block_fd = -1; -int opt_info_fd = -1; -int opt_seccomp_fd = -1; -char *opt_sandbox_hostname = NULL; - - static void parse_args_recurse (int *argcp, char ***argvp, From 11128708e087d49c112aa66cdbc70970e8ce2516 Mon Sep 17 00:00:00 2001 From: Alexander Larsson Date: Thu, 13 Oct 2016 14:14:52 +0200 Subject: [PATCH 2/2] Don't allow setting hostname if not unsharing UTS namespace This is normally verified on argument validation, but it may happen if someone managed to send custom priv-sep operations via e.g. ptrace. See https://github.com/projectatomic/bubblewrap/issues/107 --- bubblewrap.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/bubblewrap.c b/bubblewrap.c index bff1c043..8285a6cd 100644 --- a/bubblewrap.c +++ b/bubblewrap.c @@ -612,6 +612,10 @@ privileged_op (int privileged_op_socket, break; case PRIV_SEP_OP_SET_HOSTNAME: + /* This is checked at the start, but lets verify it here in case + something manages to send hacked priv-sep operation requests. */ + if (!opt_unshare_uts) + die ("Refusing to set hostname in original namespace"); if (sethostname (arg1, strlen(arg1)) != 0) die_with_error ("Can't set hostname to %s", arg1); break;