feat: implement no new privs option

nixpig · Dec 24, 2024 · ea02ebc · ea02ebc
1 parent 693ca66
commit ea02ebc
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 1 deletion.
diff --git a/Vagrantfile b/Vagrantfile
@@ -1,4 +1,4 @@
-Vagrant.configure("1") do |config|
+Vagrant.configure("2") do |config|
   config.vm.box = "bento/ubuntu-24.04"
   config.vm.synced_folder '.', '/brownie'
 

diff --git a/container/container_reexec.go b/container/container_reexec.go
@@ -17,6 +17,7 @@ import (
 	"github.com/nixpig/brownie/filesystem"
 	"github.com/nixpig/brownie/terminal"
 	"github.com/opencontainers/runtime-spec/specs-go"
+	"golang.org/x/sys/unix"
 )
 
 func (c *Container) Reexec() error {
@@ -163,6 +164,12 @@ func (c *Container) Reexec() error {
 		return err
 	}
 
+	if c.Spec.Process.NoNewPrivileges {
+		if err := unix.Prctl(unix.PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); err != nil {
+			return fmt.Errorf("set no new privileges: %w", err)
+		}
+	}
+
 	if err := syscall.Setuid(int(c.Spec.Process.User.UID)); err != nil {
 		return fmt.Errorf("set UID: %w", err)
 	}