VirtualBox

Ignore:
Timestamp:
Dec 3, 2010 2:49:53 PM (14 years ago)
Author:
vboxsync
Message:

SUPR3HardenedMain: back out failed attempt to handle privilege updating for regular users, the attempt broke NAT ICMP in some cases

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/VBox/HostDrivers/Support/SUPR3HardenedMain.cpp

    r34448 r34701  
    649649# elif defined(RT_OS_SOLARIS)
    650650    /*
    651      * Add net_icmpaccess privilege to permitted and effective privilege set
    652      * before dropping root privileges. Leave inheritable privilege set
    653      * untouched as we don't want to pass any additional privileges to
    654      * subprocesses (think of VBoxSVC).
    655      */
    656     priv_set_t *pPrivSet = priv_allocset();
    657     if (pPrivSet)
    658     {
    659         priv_emptyset(pPrivSet);
    660         /* The inheritable privilege set contains the privileges the process
    661          * would have received if it weren't marked as suid root. */
    662         int rc = getppriv(PRIV_INHERITABLE, pPrivSet);
    663         if (!rc)
     651     * Add net_icmpaccess privilege to permitted, effective and inheritable
     652     * privileges before dropping root privileges. Skip this hacky code for
     653     * real root, as it removes lots of privileges due to the harcoded set.
     654     */
     655    if (getuid() != 0)
     656    {
     657        priv_set_t *pPrivSet = priv_str_to_set("basic", ",", NULL);
     658        if (pPrivSet)
    664659        {
    665660            priv_addset(pPrivSet, PRIV_NET_ICMPACCESS);
    666             rc = setppriv(PRIV_SET, PRIV_PERMITTED, pPrivSet);
     661            int rc = setppriv(PRIV_SET, PRIV_INHERITABLE, pPrivSet);
    667662            if (!rc)
    668663            {
    669                 rc = setppriv(PRIV_SET, PRIV_EFFECTIVE, pPrivSet);
    670                 if (rc)
    671                     supR3HardenedError(rc, false, "SUPR3HardenedMain: failed to set effective privilege set.\n");
     664                rc = setppriv(PRIV_SET, PRIV_PERMITTED, pPrivSet);
     665                if (!rc)
     666                {
     667                    rc = setppriv(PRIV_SET, PRIV_EFFECTIVE, pPrivSet);
     668                    if (rc)
     669                        supR3HardenedError(rc, false, "SUPR3HardenedMain: failed to set effective privilege set.\n");
     670                }
     671                else
     672                    supR3HardenedError(rc, false, "SUPR3HardenedMain: failed to set permitted privilege set.\n");
    672673            }
    673674            else
    674                 supR3HardenedError(rc, false, "SUPR3HardenedMain: failed to set permitted privilege set.\n");
     675                supR3HardenedError(rc, false, "SUPR3HardenedMain: failed to set inheritable privilege set.\n");
     676
     677            priv_freeset(pPrivSet);
    675678        }
    676679        else
    677             supR3HardenedError(rc, false, "SUPR3HardenedMain: failed to get inheritable privilege set.\n");
    678 
    679         priv_freeset(pPrivSet);
    680     }
    681     else
    682         supR3HardenedError(-1, false, "SUPR3HardenedMain: failed to allocate privilege set.\n");
     680            supR3HardenedError(-1, false, "SUPR3HardenedMain: failed to get basic privilege set.\n");
     681    }
    683682# endif
    684683}
Note: See TracChangeset for help on using the changeset viewer.

© 2024 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette