VirtualBox

Ignore:
Timestamp:
Nov 29, 2010 10:09:02 AM (14 years ago)
Author:
vboxsync
Message:

SUPR3HardenedMain: attempt to properly fix the updating of privileges on Solaris

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/src/VBox/HostDrivers/Support/SUPR3HardenedMain.cpp

    r34372 r34445  
    649649# elif defined(RT_OS_SOLARIS)
    650650    /*
    651      * Add net_icmpaccess privilege to permitted, effective and inheritable
    652      * privileges before dropping root privileges. Skip this hacky code for
    653      * real root, as it removes lots of privileges due to the harcoded set.
    654      */
    655     if (getuid() != 0)
    656     {
    657         priv_set_t *pPrivSet = priv_str_to_set("basic", ",", NULL);
    658         if (pPrivSet)
     651     * Add net_icmpaccess privilege to permitted and effective privilege set
     652     * before dropping root privileges. Leave inheritable privilege set
     653     * untouched as we don't want to pass any additional privileges to
     654     * subprocesses (think of VBoxSVC).
     655     */
     656    priv_set_t *pPrivSet = priv_allocset();
     657    if (pPrivSet)
     658    {
     659        priv_emptyset(pPrivSet);
     660        /* The inheritable privilege set contains the privileges the process
     661         * would have received if it weren't marked as suid root. */
     662        int rc = getppriv(PRIV_SET, PRIV_INHERITABLE, pPrivSet);
     663        if (!rc)
    659664        {
    660665            priv_addset(pPrivSet, PRIV_NET_ICMPACCESS);
    661             int rc = setppriv(PRIV_SET, PRIV_INHERITABLE, pPrivSet);
     666            rc = setppriv(PRIV_SET, PRIV_PERMITTED, pPrivSet);
    662667            if (!rc)
    663668            {
    664                 rc = setppriv(PRIV_SET, PRIV_PERMITTED, pPrivSet);
    665                 if (!rc)
    666                 {
    667                     rc = setppriv(PRIV_SET, PRIV_EFFECTIVE, pPrivSet);
    668                     if (rc)
    669                         supR3HardenedError(rc, false, "SUPR3HardenedMain: failed to set effective privilege set.\n");
    670                 }
    671                 else
    672                     supR3HardenedError(rc, false, "SUPR3HardenedMain: failed to set permitted privilege set.\n");
     669                rc = setppriv(PRIV_SET, PRIV_EFFECTIVE, pPrivSet);
     670                if (rc)
     671                    supR3HardenedError(rc, false, "SUPR3HardenedMain: failed to set effective privilege set.\n");
    673672            }
    674673            else
    675                 supR3HardenedError(rc, false, "SUPR3HardenedMain: failed to set inheritable privilege set.\n");
    676 
    677             priv_freeset(pPrivSet);
     674                supR3HardenedError(rc, false, "SUPR3HardenedMain: failed to set permitted privilege set.\n");
    678675        }
    679676        else
    680             supR3HardenedError(-1, false, "SUPR3HardenedMain: failed to get basic privilege set.\n");
    681     }
     677            supR3HardenedError(rc, false, "SUPR3HardenedMain: failed to get inheritable privilege set.\n");
     678
     679        priv_freeset(pPrivSet);
     680    }
     681    else
     682        supR3HardenedError(-1, false, "SUPR3HardenedMain: failed to allocate privilege set.\n");
    682683# endif
    683684}
Note: See TracChangeset for help on using the changeset viewer.

© 2024 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette