From d96a938f2e234a757bc329461ef48a94488bb212 Mon Sep 17 00:00:00 2001
From: Privacy Sandbox Team <no-reply@google.com>
Date: Fri, 27 Sep 2024 21:26:34 +0000
Subject: [PATCH] feat: Reduce privileges before calling exec

To follow - running as nonroot with nonroot gid

Bug: b/365984931
Change-Id: I501273f2b34717d69c8b42441e7b2aeaecb7f0ed
GitOrigin-RevId: 67f50f08458476e0d516cc7fdaf81f1d57f0b486
---
 src/roma/byob/container/BUILD.bazel    |  1 +
 src/roma/byob/container/config.json    |  3 +++
 src/roma/byob/container/run_workers.cc | 15 +++++++++++++++
 3 files changed, 19 insertions(+)

diff --git a/src/roma/byob/container/BUILD.bazel b/src/roma/byob/container/BUILD.bazel
index 7832741fc..662c1b0f5 100644
--- a/src/roma/byob/container/BUILD.bazel
+++ b/src/roma/byob/container/BUILD.bazel
@@ -89,6 +89,7 @@ cc_binary(
         "@com_google_absl//absl/strings",
         "@com_google_absl//absl/types:span",
         "@com_google_protobuf//:protobuf",
+        "@libcap",
     ],
 )
 
diff --git a/src/roma/byob/container/config.json b/src/roma/byob/container/config.json
index 292214068..1bab1c882 100644
--- a/src/roma/byob/container/config.json
+++ b/src/roma/byob/container/config.json
@@ -16,12 +16,15 @@
     "cwd": "/",
     "capabilities": {
       "bounding": [
+        "CAP_SETPCAP",
         "CAP_SYS_ADMIN"
       ],
       "effective": [
+        "CAP_SETPCAP",
         "CAP_SYS_ADMIN"
       ],
       "permitted": [
+        "CAP_SETPCAP",
         "CAP_SYS_ADMIN"
       ]
     },
diff --git a/src/roma/byob/container/run_workers.cc b/src/roma/byob/container/run_workers.cc
index a7c62d213..90b6c1621 100644
--- a/src/roma/byob/container/run_workers.cc
+++ b/src/roma/byob/container/run_workers.cc
@@ -16,7 +16,9 @@
 #include <signal.h>
 #include <stdlib.h>
 #include <string.h>
+#include <sys/capability.h>
 #include <sys/mount.h>
+#include <sys/prctl.h>
 #include <sys/socket.h>
 #include <sys/syscall.h>
 #include <sys/un.h>
@@ -72,6 +74,14 @@ struct WorkerImplArg {
   const int dev_null_fd;
 };
 
+void SetPrctlOptions(absl::Span<const std::pair<int, int>> option_arg_pairs) {
+  for (const auto& [option, arg] : option_arg_pairs) {
+    if (::prctl(option, arg) < 0) {
+      PLOG(FATAL) << "Failed prctl(" << option << ", " << arg << ")";
+    }
+  }
+}
+
 int WorkerImpl(void* arg) {
   const WorkerImplArg& worker_impl_arg = *static_cast<WorkerImplArg*>(arg);
   PCHECK(::write(worker_impl_arg.fd, worker_impl_arg.code_token.data(), 36) ==
@@ -132,6 +142,11 @@ int WorkerImpl(void* arg) {
     PCHECK(connection_fd != -1);
     return absl::StrCat(connection_fd);
   }();
+  SetPrctlOptions({
+      {PR_CAPBSET_DROP, CAP_SYS_ADMIN},
+      {PR_CAPBSET_DROP, CAP_SETPCAP},
+      {PR_SET_PDEATHSIG, SIGHUP},
+  });
   {
     PCHECK(::dup2(worker_impl_arg.dev_null_fd, STDOUT_FILENO) != -1);
     PCHECK(::dup2(worker_impl_arg.dev_null_fd, STDERR_FILENO) != -1);