Commit e3550208 authored Nov 14, 2022 by Robert Obryk

nixos/security/wrappers: read capabilities off /proc/self/exe directly

/proc/self/exe is a "fake" symlink. When it's opened, it always opens
the actual file that was execve()d in this process, even if the file was
deleted or renamed; if the file is no longer accessible from the current
chroot/mount namespace it will at the very worst fail and never open the
wrong file. Thus, we can make a much simpler argument that we're reading
capabilities off the correct file after this change (and that argument
doesn't rely on things such as protected_hardlinks being enabled, or no
users being able to write to /run/wrappers, or the verification that the
path readlink returns starts with /run/wrappers/).

parent 1bdbc0b0

nixos/modules/security/wrappers/wrapper.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -236,7 +236,7 @@ int main(int argc, char **argv) {
		// Read the capabilities set on the wrapper and raise them in to
		// the ambient set so the program we're wrapping receives the
		// capabilities too!
		if (make_caps_ambient(self_path) != 0) {
		if (make_caps_ambient("/proc/self/exe") != 0) {
		free(self_path);
		return 1;
		}

Admin message