Let the proxy run with privileges of the calling user

We want to avoid having a privileged process anywhere inside the sandbox. On the other hand, running the proxy under the per-box user enables various kinds of mischief (like ptracing the proxy). Generally, we want to use a generic nobody-like UID, for which the caller's UID serves well.
pehrsoderman · Feb 22, 2018 · 2270c5e · 2270c5e
1 parent b1ff6a9
commit 2270c5e
Showing 1 changed file with 16 additions and 2 deletions.
diff --git a/isolate.c b/isolate.c
@@ -46,8 +46,9 @@
  * We are running three processes:
  *
  *   - Keeper process (root privileges, parent namespace, parent cgroups)
- *   - Proxy process (root privileges, init process of the child namespace, parent cgroups)
- *   - Inside process (per-box UID, child namespace, child cgroups)
+ *   - Proxy process (UID/GID of the calling user, init process of the child
+ *     namespace, parent cgroups)
+ *   - Inside process (per-box UID/GID, child namespace, child cgroups)
  *
  * The proxy process just waits for the inside process to exit and then it passes
  * the exit status to the keeper.
@@ -618,6 +619,17 @@ box_inside(char **args)
 
 /*** Proxy ***/
 
+static void
+setup_orig_credentials(void)
+{
+  if (setresgid(orig_gid, orig_gid, orig_gid) < 0)
+    die("setresgid: %m");
+  if (setgroups(0, NULL) < 0)
+    die("setgroups: %m");
+  if (setresuid(orig_uid, orig_uid, orig_uid) < 0)
+    die("setresuid: %m");
+}
+
 static int
 box_proxy(void *arg)
 {
@@ -639,6 +651,8 @@ box_proxy(void *arg)
       _exit(42);	// We should never get here
     }
 
+  setup_orig_credentials();
+
   int stat;
   pid_t p = waitpid(inside_pid, &stat, 0);
   if (p < 0)