diff options
| author | Robert Obryk <robryk@gmail.com> | 2022-11-14 14:45:36 +0100 |
|---|---|---|
| committer | Robert Obryk <robryk@gmail.com> | 2023-08-27 14:10:38 +0200 |
| commit | e3550208de58dbf1ce92de85fd555674bc00ce82 (patch) | |
| tree | caf8d69200c08c656c7bb316482487e92235c488 /nixos/modules/security | |
| parent | 1bdbc0b0fedcb5fdcb60a88f9781e53d9b12d5c8 (diff) | |
nixos/security/wrappers: read capabilities off /proc/self/exe directly
/proc/self/exe is a "fake" symlink. When it's opened, it always opens the actual file that was execve()d in this process, even if the file was deleted or renamed; if the file is no longer accessible from the current chroot/mount namespace it will at the very worst fail and never open the wrong file. Thus, we can make a much simpler argument that we're reading capabilities off the correct file after this change (and that argument doesn't rely on things such as protected_hardlinks being enabled, or no users being able to write to /run/wrappers, or the verification that the path readlink returns starts with /run/wrappers/).
Diffstat (limited to 'nixos/modules/security')
| -rw-r--r-- | nixos/modules/security/wrappers/wrapper.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/nixos/modules/security/wrappers/wrapper.c b/nixos/modules/security/wrappers/wrapper.c index b00ec9423209f..d9875a5280dd0 100644 --- a/nixos/modules/security/wrappers/wrapper.c +++ b/nixos/modules/security/wrappers/wrapper.c @@ -236,7 +236,7 @@ int main(int argc, char **argv) { // Read the capabilities set on the wrapper and raise them in to // the ambient set so the program we're wrapping receives the // capabilities too! - if (make_caps_ambient(self_path) != 0) { + if (make_caps_ambient("/proc/self/exe") != 0) { free(self_path); return 1; } |