diff options
author | Tor Brede Vekterli <vekterli@yahooinc.com> | 2023-10-10 09:32:47 +0000 |
---|---|---|
committer | Tor Brede Vekterli <vekterli@vespa.ai> | 2023-11-14 12:33:08 +0000 |
commit | 51ff36cb354317b5c7911e13c351e009353a321c (patch) | |
tree | 03d6a953008648b003e9a83a13eefc62bdb36df1 /configd | |
parent | 26afaf784280bb86d278adcf1b93ac4e912c0fb0 (diff) |
Add env var for setting `no_new_privs` process bit on Linux
If set, this will apply to all processes launched by the config
sentinel, directly or transitively. This is a one-way toggle.
See https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt
Diffstat (limited to 'configd')
-rw-r--r-- | configd/src/apps/sentinel/CMakeLists.txt | 1 | ||||
-rw-r--r-- | configd/src/apps/sentinel/platform-specific.cpp | 45 | ||||
-rw-r--r-- | configd/src/apps/sentinel/platform-specific.h | 16 | ||||
-rw-r--r-- | configd/src/apps/sentinel/sentinel.cpp | 3 |
4 files changed, 65 insertions, 0 deletions
diff --git a/configd/src/apps/sentinel/CMakeLists.txt b/configd/src/apps/sentinel/CMakeLists.txt index 607aba2785c..d3cfcff4135 100644 --- a/configd/src/apps/sentinel/CMakeLists.txt +++ b/configd/src/apps/sentinel/CMakeLists.txt @@ -14,6 +14,7 @@ vespa_add_executable(configd_config-sentinel_app output-connection.cpp outward-check.cpp peer-check.cpp + platform-specific.cpp report-connectivity.cpp rpchooks.cpp rpcserver.cpp diff --git a/configd/src/apps/sentinel/platform-specific.cpp b/configd/src/apps/sentinel/platform-specific.cpp new file mode 100644 index 00000000000..d1c3682e857 --- /dev/null +++ b/configd/src/apps/sentinel/platform-specific.cpp @@ -0,0 +1,45 @@ +// Copyright Vespa.ai. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. +#include "platform-specific.h" +#include <vespa/vespalib/util/error.h> +#include <cstdlib> +#include <string_view> +#ifdef __linux__ +#include <sys/prctl.h> +#endif + +#include <vespa/log/log.h> +LOG_SETUP(".sentinel.platform-specific"); + +using namespace std::string_view_literals; + +namespace config::platform_specific { + +namespace { + +[[maybe_unused]] [[nodiscard]] +bool is_env_toggled(const char* var_name) { + const char* maybe_toggled = getenv(var_name); + return (maybe_toggled && (maybe_toggled == "true"sv || maybe_toggled == "yes"sv)); +} + +} + +void pledge_no_new_privileges_if_env_configured() { +#ifdef __linux__ + if (is_env_toggled("VESPA_PR_SET_NO_NEW_PRIVS")) { + // One-way toggle to prevent any subprocess from possibly getting extra privileges via + // setuid/setgid executables (modulo exciting things like kernel bugs or a small, trained + // rat that climbs into your computer and pulls an adorably tiny lever labeled "root access"). + // Helps mitigate a certain class of vulnerabilities, and also allows processes to install + // their own seccomp filters. + // See https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt + if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) != 0) { + LOG(warning, "Failed to invoke prctl(PR_SET_NO_NEW_PRIVS): %s", vespalib::getErrorString(errno).c_str()); + } else { + LOG(debug, "Successfully invoked prctl(PR_SET_NO_NEW_PRIVS)"); + } + } +#endif +} + +} diff --git a/configd/src/apps/sentinel/platform-specific.h b/configd/src/apps/sentinel/platform-specific.h new file mode 100644 index 00000000000..d68d5f73768 --- /dev/null +++ b/configd/src/apps/sentinel/platform-specific.h @@ -0,0 +1,16 @@ +// Copyright Vespa.ai. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. +#pragma once + +namespace config::platform_specific { + +/** + * If running on Linux, sets the `no_new_privs` process bit, which amongst other + * things prevents all launched sub-process(es) from acquiring more privileges + * through setuid/setgid executables. + * + * Only takes effect if the `VESPA_PR_SET_NO_NEW_PRIVS` environment variable is + * set to "true" or "yes". + */ +void pledge_no_new_privileges_if_env_configured(); + +} diff --git a/configd/src/apps/sentinel/sentinel.cpp b/configd/src/apps/sentinel/sentinel.cpp index 59c690275c3..4f1d6019065 100644 --- a/configd/src/apps/sentinel/sentinel.cpp +++ b/configd/src/apps/sentinel/sentinel.cpp @@ -1,6 +1,7 @@ // Copyright Vespa.ai. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. #include "manager.h" +#include "platform-specific.h" #include <vespa/config/common/exceptions.h> #include <vespa/vespalib/util/signalhandler.h> #include <vespa/vespalib/util/exceptions.h> @@ -58,6 +59,8 @@ main(int argc, char **argv) } setlocale(LC_ALL, "C"); + platform_specific::pledge_no_new_privileges_if_env_configured(); // Affects all launched subprocesses + sentinel::Env environment; LOG(debug, "Reading configuration"); try { |