[PATCH] host/rootfs: Set no_new_privs in PID 1
This prevents any program on the host from gaining privileges via execve(), ever. There are currently no such programs on the host so this should be a no-op for now. Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com> --- host/rootfs/image/etc/init | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/host/rootfs/image/etc/init b/host/rootfs/image/etc/init index 4085fa55545e7309004967e443e47fc2b82b0663..e9938acec866045962a8ead096d199cbd3792469 100755 --- a/host/rootfs/image/etc/init +++ b/host/rootfs/image/etc/init @@ -2,4 +2,4 @@ # SPDX-License-Identifier: EUPL-1.2+ # SPDX-FileCopyrightText: 2022 Alyssa Ross <hi@alyssa.is> -/bin/s6-linux-init -c /etc/s6-linux-init -s /run/param -- $@ +/usr/bin/setpriv --no-new-privs -- /bin/s6-linux-init -c /etc/s6-linux-init -s /run/param -- $@ --- base-commit: 92e219e7c08c479d216a46d2736ea9d229ff034d change-id: 20251205-no-new-privs-2f22088c0736 -- Sincerely, Demi Marie Obenour (she/her/hers)
Demi Marie Obenour <demiobenour@gmail.com> writes:
This prevents any program on the host from gaining privileges via execve(), ever. There are currently no such programs on the host so this should be a no-op for now.
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com> --- host/rootfs/image/etc/init | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/host/rootfs/image/etc/init b/host/rootfs/image/etc/init index 4085fa55545e7309004967e443e47fc2b82b0663..e9938acec866045962a8ead096d199cbd3792469 100755 --- a/host/rootfs/image/etc/init +++ b/host/rootfs/image/etc/init @@ -2,4 +2,4 @@ # SPDX-License-Identifier: EUPL-1.2+ # SPDX-FileCopyrightText: 2022 Alyssa Ross <hi@alyssa.is>
-/bin/s6-linux-init -c /etc/s6-linux-init -s /run/param -- $@ +/usr/bin/setpriv --no-new-privs -- /bin/s6-linux-init -c /etc/s6-linux-init -s /run/param -- $@
Looks good, but it's a standard chainloader interface so should be on its own line. I'll fix that when I commit.
This patch has been committed as fe9303b76eeeeaff162c053624707d33b224fc85, which can be viewed online at https://spectrum-os.org/git/spectrum/commit/?id=fe9303b76eeeeaff162c05362470.... This is an automated message. Send comments/questions/requests to: Alyssa Ross <hi@alyssa.is>
participants (3)
-
Alyssa Ross -
Alyssa Ross -
Demi Marie Obenour