feat: Reduce privileges before calling exec

To follow - running as nonroot with nonroot gid

Bug: b/365984931
Change-Id: I501273f2b34717d69c8b42441e7b2aeaecb7f0ed
GitOrigin-RevId: 67f50f08458476e0d516cc7fdaf81f1d57f0b486

src/roma/byob/container/BUILD.bazel

@@ -89,6 +89,7 @@ cc_binary(
         "@com_google_absl//absl/strings",
         "@com_google_absl//absl/types:span",
         "@com_google_protobuf//:protobuf",
+        "@libcap",
     ],
 )
 

src/roma/byob/container/config.json

@@ -16,12 +16,15 @@
     "cwd": "/",
     "capabilities": {
       "bounding": [
+        "CAP_SETPCAP",
         "CAP_SYS_ADMIN"
       ],
       "effective": [
+        "CAP_SETPCAP",
         "CAP_SYS_ADMIN"
       ],
       "permitted": [
+        "CAP_SETPCAP",
         "CAP_SYS_ADMIN"
       ]
     },

src/roma/byob/container/run_workers.cc

@@ -16,7 +16,9 @@
 #include <signal.h>
 #include <stdlib.h>
 #include <string.h>
+#include <sys/capability.h>
 #include <sys/mount.h>
+#include <sys/prctl.h>
 #include <sys/socket.h>
 #include <sys/syscall.h>
 #include <sys/un.h>
@@ -72,6 +74,14 @@ struct WorkerImplArg {
   const int dev_null_fd;
 };
 
+void SetPrctlOptions(absl::Span<const std::pair<int, int>> option_arg_pairs) {
+  for (const auto& [option, arg] : option_arg_pairs) {
+    if (::prctl(option, arg) < 0) {
+      PLOG(FATAL) << "Failed prctl(" << option << ", " << arg << ")";
+    }
+  }
+}
+
 int WorkerImpl(void* arg) {
   const WorkerImplArg& worker_impl_arg = *static_cast<WorkerImplArg*>(arg);
   PCHECK(::write(worker_impl_arg.fd, worker_impl_arg.code_token.data(), 36) ==
@@ -132,6 +142,11 @@ int WorkerImpl(void* arg) {
     PCHECK(connection_fd != -1);
     return absl::StrCat(connection_fd);
   }();
+  SetPrctlOptions({
+      {PR_CAPBSET_DROP, CAP_SYS_ADMIN},
+      {PR_CAPBSET_DROP, CAP_SETPCAP},
+      {PR_SET_PDEATHSIG, SIGHUP},
+  });
   {
     PCHECK(::dup2(worker_impl_arg.dev_null_fd, STDOUT_FILENO) != -1);
     PCHECK(::dup2(worker_impl_arg.dev_null_fd, STDERR_FILENO) != -1);