bryson/pacman
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Ensure that the download process cannot get new privileges

Browse source 
Signed-off-by: Remi Gacogne <rgacogne@archlinux.org>
This commit is contained in:
Remi Gacogne 2024-04-03 17:11:25 +02:00 committed by Allan McRae
parent f142df92c7
commit cf473bcfbd
2 changed files with 10 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
lib/libalpm/sandbox.c
View file

@ -17,9 +17,14 @@
* along with this program. If not, see <http://www.gnu.org/licenses/>. * along with this program. If not, see <http://www.gnu.org/licenses/>.
*/ */
#include "config.h"
#include <errno.h> #include <errno.h>
#include <grp.h> #include <grp.h>
#include <pwd.h> #include <pwd.h>
#ifdef HAVE_SYS_PRCTL_H
#include <sys/prctl.h>
#endif /* HAVE_SYS_PRCTL_H */
#include <sys/types.h> #include <sys/types.h>
#include <unistd.h> #include <unistd.h>
@ -40,6 +45,10 @@ int SYMEXPORT alpm_sandbox_setup_child(alpm_handle_t *handle, const char* sandbo
if(sandbox_path != NULL && !handle->disable_sandbox) { if(sandbox_path != NULL && !handle->disable_sandbox) {
_alpm_sandbox_fs_restrict_writes_to(handle, sandbox_path); _alpm_sandbox_fs_restrict_writes_to(handle, sandbox_path);
} }
#if defined(HAVE_SYS_PRCTL_H) && defined(PR_SET_NO_NEW_PRIVS)
/* make sure that we cannot gain more privileges later, failure is fine */
prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
#endif /* HAVE_SYS_PRCTL && PR_SET_NO_NEW_PRIVS */
if(restrict_syscalls && !handle->disable_sandbox) { if(restrict_syscalls && !handle->disable_sandbox) {
_alpm_sandbox_syscalls_filter(handle); _alpm_sandbox_syscalls_filter(handle);
} }

1
meson.build
View file

@ -132,6 +132,7 @@ foreach header : [
'sys/mnttab.h', 'sys/mnttab.h',
'sys/mount.h', 'sys/mount.h',
'sys/param.h', 'sys/param.h',
'sys/prctl.h',
'sys/statvfs.h', 'sys/statvfs.h',
'sys/types.h', 'sys/types.h',
'sys/ucred.h', 'sys/ucred.h',