mirror of
https://github.com/genodelabs/genode.git
synced 2024-12-22 15:02:25 +00:00
base-linux: Add chdir after performing chroot
This ensures that the cwd of the process is within the chroot environment, improving security for root processes. The cwd after the chroot is the same as before, this is needed to start binaries given as relative path name.
This commit is contained in:
parent
bcabbe2c92
commit
59eb8bf3a8
@ -94,12 +94,18 @@ inline int lx_create_process(int (*entry)(void *), void *stack, void *arg)
|
|||||||
** Chroot handling **
|
** Chroot handling **
|
||||||
*********************/
|
*********************/
|
||||||
|
|
||||||
inline int lx_chroot(const char *path)
|
inline int lx_chroot(char const *path)
|
||||||
{
|
{
|
||||||
return lx_syscall(SYS_chroot, path);
|
return lx_syscall(SYS_chroot, path);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
inline int lx_chdir(char const *path)
|
||||||
|
{
|
||||||
|
return lx_syscall(SYS_chdir, path);
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
inline int lx_getcwd(char *dst, size_t dst_len)
|
inline int lx_getcwd(char *dst, size_t dst_len)
|
||||||
{
|
{
|
||||||
return lx_syscall(SYS_getcwd, dst, dst_len);
|
return lx_syscall(SYS_getcwd, dst, dst_len);
|
||||||
|
@ -212,6 +212,7 @@ static int _exec_child(Execve_args *arg)
|
|||||||
|
|
||||||
/* change to chroot environment */
|
/* change to chroot environment */
|
||||||
if (arg->root && arg->root[0]) {
|
if (arg->root && arg->root[0]) {
|
||||||
|
char cwd[1024];
|
||||||
|
|
||||||
PDBG("arg->root='%s'", arg->root);
|
PDBG("arg->root='%s'", arg->root);
|
||||||
|
|
||||||
@ -220,6 +221,11 @@ static int _exec_child(Execve_args *arg)
|
|||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (!lx_getcwd(cwd, sizeof(cwd))) {
|
||||||
|
PERR("Failed to getcwd");
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
|
||||||
PLOG("changing root of %s (PID %d) to %s",
|
PLOG("changing root of %s (PID %d) to %s",
|
||||||
arg->filename, lx_getpid(), arg->root);
|
arg->filename, lx_getpid(), arg->root);
|
||||||
|
|
||||||
@ -228,6 +234,12 @@ static int _exec_child(Execve_args *arg)
|
|||||||
PERR("Syscall chroot failed (errno %d)", ret);
|
PERR("Syscall chroot failed (errno %d)", ret);
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
ret = lx_chdir(cwd);
|
||||||
|
if (ret < 0) {
|
||||||
|
PERR("chdir to new chroot failed");
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
return lx_execve(arg->filename, arg->argv, arg->envp);
|
return lx_execve(arg->filename, arg->argv, arg->envp);
|
||||||
|
Loading…
Reference in New Issue
Block a user