sandbox: Unshare pids and mount a minimal /proc

Signed-off-by: Alexander Larsson <[email protected]>
alexlarsson · Oct 12, 2023 · d79fd60 · d79fd60
1 parent 8a88bfa
commit d79fd60
Showing 1 changed file with 26 additions and 1 deletion.
diff --git a/tools/sandbox.c b/tools/sandbox.c
@@ -30,6 +30,8 @@
 #include <sys/syscall.h>
 #include <sys/mount.h>
 #include <sys/prctl.h>
+#include <sys/stat.h>
+#include <sys/wait.h>
 #ifdef HAVE_SYS_CAPABILITY_H
 #include <sys/capability.h>
 #endif
@@ -91,10 +93,25 @@ static void do_namespace_sandbox(void)
 #endif
 
 	ret = unshare(CLONE_NEWUSER | CLONE_NEWNS | CLONE_NEWUTS |
-		      CLONE_NEWIPC | CLONE_NEWNET);
+		      CLONE_NEWIPC | CLONE_NEWNET | CLONE_NEWPID);
 	if (ret < 0)
 		return;
 
+	pid_t pid = fork();
+	if (pid < 0)
+		err(EXIT_FAILURE, "fork");
+	if (pid != 0) {
+		int wstatus;
+		int res = waitpid(pid, &wstatus, 0);
+		if (res == -1)
+			err(EXIT_FAILURE, "waitpid");
+
+		if (!WIFEXITED(wstatus))
+			err(EXIT_FAILURE, "sandbox process died");
+
+		exit(WEXITSTATUS(wstatus));
+	}
+
 	fd = open("/proc/self/setgroups", O_WRONLY | O_CLOEXEC);
 	if (fd < 0)
 		err(EXIT_FAILURE, "open /proc/self/setgroups");
@@ -143,6 +160,14 @@ static void do_namespace_sandbox(void)
 	free(cwd);
 	cwd = NULL;
 
+	ret = mkdir("proc", 0755);
+	if (ret < 0)
+		err(EXIT_FAILURE, "mkdir /proc");
+
+	if (mount("proc", "proc", "proc", MS_NOSUID | MS_NOEXEC | MS_NODEV,
+		  "subset=pid,hidepid=noaccess") != 0)
+		err(EXIT_FAILURE, "mount /proc");
+
 	ret = pivot_root(".", ".");
 	if (ret < 0)
 		err(EXIT_FAILURE, "pivot_root");