diff options
Diffstat (limited to 'support')
| -rw-r--r-- | support/fuse.h | 1 | ||||
| -rw-r--r-- | support/shell-container.c | 8 | ||||
| -rw-r--r-- | support/support_capture_subprocess.c | 21 | ||||
| -rw-r--r-- | support/support_fuse.c | 6 | ||||
| -rw-r--r-- | support/support_stack_alloc.c | 9 | ||||
| -rw-r--r-- | support/support_subprocess.c | 3 | ||||
| -rw-r--r-- | support/test-container.c | 4 |
7 files changed, 40 insertions, 12 deletions
diff --git a/support/fuse.h b/support/fuse.h index 7b246de..f379cc7 100644 --- a/support/fuse.h +++ b/support/fuse.h @@ -96,6 +96,7 @@ void *support_fuse_cast_name_internal (struct fuse_in_header *, uint32_t, #define support_fuse_payload_type_READ struct fuse_read_in #define support_fuse_payload_type_SETATTR struct fuse_setattr_in #define support_fuse_payload_type_WRITE struct fuse_write_in +#define support_fuse_payload_type_COPY_FILE_RANGE struct fuse_copy_file_range_in #define support_fuse_cast(typ, inh) \ ((support_fuse_payload_type_##typ *) \ support_fuse_cast_internal ((inh), FUSE_##typ)) diff --git a/support/shell-container.c b/support/shell-container.c index dcf53ad..06f3212 100644 --- a/support/shell-container.c +++ b/support/shell-container.c @@ -237,25 +237,25 @@ run_command_array (char **argv) { if (strcmp (argv[i], "<") == 0 && argv[i + 1]) { - new_stdin = open (argv[i + 1], O_WRONLY|O_CREAT|O_TRUNC, 0777); + new_stdin = open (argv[i + 1], O_WRONLY|O_CREAT|O_TRUNC, 0666); ++i; continue; } if (strcmp (argv[i], ">") == 0 && argv[i + 1]) { - new_stdout = open (argv[i + 1], O_WRONLY|O_CREAT|O_TRUNC, 0777); + new_stdout = open (argv[i + 1], O_WRONLY|O_CREAT|O_TRUNC, 0666); ++i; continue; } if (strcmp (argv[i], ">>") == 0 && argv[i + 1]) { - new_stdout = open (argv[i + 1], O_WRONLY|O_CREAT|O_APPEND, 0777); + new_stdout = open (argv[i + 1], O_WRONLY|O_CREAT|O_APPEND, 0666); ++i; continue; } if (strcmp (argv[i], "2>") == 0 && argv[i + 1]) { - new_stderr = open (argv[i + 1], O_WRONLY|O_CREAT|O_TRUNC, 0777); + new_stderr = open (argv[i + 1], O_WRONLY|O_CREAT|O_TRUNC, 0666); ++i; continue; } diff --git a/support/support_capture_subprocess.c b/support/support_capture_subprocess.c index b4e4bf9..c89e65b 100644 --- a/support/support_capture_subprocess.c +++ b/support/support_capture_subprocess.c @@ -133,6 +133,27 @@ copy_and_spawn_sgid (const char *child_id, gid_t gid) if (chmod (execname, 02750) != 0) FAIL_UNSUPPORTED ("cannot make \"%s\" SGID: %m ", execname); + /* Now we can drop the privilege of that group. */ + const int count = 64; + gid_t groups[count]; + int ngroups = getgroups(count, groups); + + if (ngroups < 0) + FAIL_UNSUPPORTED ("Could not get group list again for user %jd\n", + (intmax_t) getuid ()); + + int n = 0; + for (int i = 0; i < ngroups; i++) + { + if (groups[i] != gid) + { + if (n != i) + groups[n] = groups[i]; + n++; + } + } + setgroups (n, groups); + /* We have the binary, now spawn the subprocess. Avoid using support_subprogram because we only want the program exit status, not the contents. */ diff --git a/support/support_fuse.c b/support/support_fuse.c index a70a74c..a90882e 100644 --- a/support/support_fuse.c +++ b/support/support_fuse.c @@ -212,6 +212,9 @@ support_fuse_handle_directory (struct support_fuse *f) support_fuse_reply_prepared (f); } return true; + case FUSE_GETXATTR: + support_fuse_reply_error (f, ENOSYS); + return true; default: return false; } @@ -222,7 +225,8 @@ support_fuse_handle_mountpoint (struct support_fuse *f) { TEST_VERIFY (f->inh != NULL); /* 1 is the root node. */ - if (f->inh->opcode == FUSE_GETATTR && f->inh->nodeid == 1) + if ((f->inh->opcode == FUSE_GETATTR || f->inh->opcode == FUSE_GETXATTR) + && f->inh->nodeid == 1) return support_fuse_handle_directory (f); return false; } diff --git a/support/support_stack_alloc.c b/support/support_stack_alloc.c index 5e576be..132e7b4 100644 --- a/support/support_stack_alloc.c +++ b/support/support_stack_alloc.c @@ -64,11 +64,10 @@ support_stack_alloc (size_t size) MAP_PRIVATE|MAP_ANONYMOUS|MAP_NORESERVE|MAP_STACK, -1); /* Some architecture still requires executable stack for the signal return - trampoline, although PF_X could be overridden if PT_GNU_STACK is present. - However since glibc does not export such information with a proper ABI, - it uses the historical permissions. */ - int prot = PROT_READ | PROT_WRITE - | (DEFAULT_STACK_PERMS & PF_X ? PROT_EXEC : 0); + trampoline, although PROT_EXEC could be overridden if PT_GNU_STACK is + present. However since glibc does not export such information with a + proper ABI, it uses the historical permissions. */ + int prot = DEFAULT_STACK_PROT_PERMS; xmprotect (alloc_base + guardsize, stacksize, prot); memset (alloc_base + guardsize, 0xA5, stacksize); return (struct support_stack) { alloc_base + guardsize, stacksize, guardsize }; diff --git a/support/support_subprocess.c b/support/support_subprocess.c index be00dde..8bf9a33 100644 --- a/support/support_subprocess.c +++ b/support/support_subprocess.c @@ -25,6 +25,7 @@ #include <support/check.h> #include <support/xunistd.h> #include <support/subprocess.h> +#include <support/temp_file-internal.h> static struct support_subprocess support_subprocess_init (void) @@ -60,6 +61,8 @@ support_subprocess (void (*callback) (void *), void *closure) xclose (result.stdout_pipe[1]); xclose (result.stderr_pipe[1]); callback (closure); + /* Make sure that temporary files are deleted. */ + support_delete_temp_files (); _exit (0); } xclose (result.stdout_pipe[1]); diff --git a/support/test-container.c b/support/test-container.c index a641250..ae643d3 100644 --- a/support/test-container.c +++ b/support/test-container.c @@ -273,7 +273,7 @@ devmount (const char *new_root_path, const char *which) { int fd; fd = open (concat (new_root_path, "/dev/", which, NULL), - O_CREAT | O_TRUNC | O_RDWR, 0777); + O_CREAT | O_TRUNC | O_RDWR, 0666); xclose (fd); trymount (concat ("/dev/", which, NULL), @@ -740,7 +740,7 @@ main (int argc, char **argv) char *command_basename; char *so_base; int do_postclean = 0; - bool do_ldconfig = false; + bool do_ldconfig = true; char *change_cwd = NULL; int pipes[2]; |