diff --git a/src/roma/byob/container/BUILD.bazel b/src/roma/byob/container/BUILD.bazel index 7832741f..662c1b0f 100644 --- a/src/roma/byob/container/BUILD.bazel +++ b/src/roma/byob/container/BUILD.bazel @@ -89,6 +89,7 @@ cc_binary( "@com_google_absl//absl/strings", "@com_google_absl//absl/types:span", "@com_google_protobuf//:protobuf", + "@libcap", ], ) diff --git a/src/roma/byob/container/config.json b/src/roma/byob/container/config.json index 29221406..1bab1c88 100644 --- a/src/roma/byob/container/config.json +++ b/src/roma/byob/container/config.json @@ -16,12 +16,15 @@ "cwd": "/", "capabilities": { "bounding": [ + "CAP_SETPCAP", "CAP_SYS_ADMIN" ], "effective": [ + "CAP_SETPCAP", "CAP_SYS_ADMIN" ], "permitted": [ + "CAP_SETPCAP", "CAP_SYS_ADMIN" ] }, diff --git a/src/roma/byob/container/run_workers.cc b/src/roma/byob/container/run_workers.cc index a7c62d21..90b6c162 100644 --- a/src/roma/byob/container/run_workers.cc +++ b/src/roma/byob/container/run_workers.cc @@ -16,7 +16,9 @@ #include #include #include +#include #include +#include #include #include #include @@ -72,6 +74,14 @@ struct WorkerImplArg { const int dev_null_fd; }; +void SetPrctlOptions(absl::Span> option_arg_pairs) { + for (const auto& [option, arg] : option_arg_pairs) { + if (::prctl(option, arg) < 0) { + PLOG(FATAL) << "Failed prctl(" << option << ", " << arg << ")"; + } + } +} + int WorkerImpl(void* arg) { const WorkerImplArg& worker_impl_arg = *static_cast(arg); PCHECK(::write(worker_impl_arg.fd, worker_impl_arg.code_token.data(), 36) == @@ -132,6 +142,11 @@ int WorkerImpl(void* arg) { PCHECK(connection_fd != -1); return absl::StrCat(connection_fd); }(); + SetPrctlOptions({ + {PR_CAPBSET_DROP, CAP_SYS_ADMIN}, + {PR_CAPBSET_DROP, CAP_SETPCAP}, + {PR_SET_PDEATHSIG, SIGHUP}, + }); { PCHECK(::dup2(worker_impl_arg.dev_null_fd, STDOUT_FILENO) != -1); PCHECK(::dup2(worker_impl_arg.dev_null_fd, STDERR_FILENO) != -1);