bugfix: nwebspawn设置seccomp，系统调用范围不包括setuid，setgid

Signed-off-by: xiacong <xiacong4@huawei.com> Change-Id: I11c9f42a4bf7efb43f25af6560399d3fd21bd0ce Signed-off-by: xiacong <xiacong4@huawei.com>
2024-11-23 15:10:44 +00:00 · 2023-06-20 15:32:35 +08:00 · 2023-06-20 15:32:35 +08:00 · fc56d74506
commit fc56d74506
parent a5b242cf24
1 changed files with 12 additions and 1 deletions
--- a/adapter/appspawn_adapter.cpp
+++ b/adapter/appspawn_adapter.cpp
@ -24,6 +24,9 @@
 #include "token_setproc.h"
 #ifdef WITH_SECCOMP
 #include "seccomp_policy.h"
+#include <sys/prctl.h>
+
+const char* RENDERER_NAME = "renderer";
 #endif

 void SetAppAccessToken(struct AppSpawnContent_ *content, AppSpawnClient *client)
@ -60,7 +63,15 @@ void SetSelinuxCon(struct AppSpawnContent_ *content, AppSpawnClient *client)
 void SetUidGidFilter(struct AppSpawnContent_ *content)
 {
 #ifdef WITH_SECCOMP
+#ifdef NWEB_SPAWN
+    if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
+        APPSPAWN_LOGE("Failed to set no new privs");
+    }
+
+    if (!SetSeccompPolicyWithName(INDIVIDUAL, NWEBSPAWN_NAME)) {
+#else
    if (!SetSeccompPolicyWithName(INDIVIDUAL, APPSPAWN_NAME)) {
+#endif
        APPSPAWN_LOGE("Failed to set APPSPAWN seccomp filter and exit");
 #ifndef APPSPAWN_TEST
        _exit(0x7f);
@ -75,7 +86,7 @@ int SetSeccompFilter(struct AppSpawnContent_ *content, AppSpawnClient *client)
 {
 #ifdef WITH_SECCOMP
 #ifdef NWEB_SPAWN
-    const char *appName = NWEBSPAWN_NAME;
+    const char *appName = RENDERER_NAME;
    SeccompFilterType type = INDIVIDUAL;
 #else
    const char *appName = APP_NAME;