ccon: Add process.disableNewPrivileges

Brought to my attention in [1].

[1]: opencontainers/runtime-spec#290

README.md

@@ -25,6 +25,7 @@ than [LXC][lxc.container.conf.5]).
     * [User](#user)
     * [Current working directory](#current-working-directory)
     * [Capabilities](#capabilities)
+    * [Disable new privileges](#disable-new-privileges)
     * [Arguments](#arguments)
     * [Path](#path)
     * [Host](#host)
@@ -504,6 +505,20 @@ namespace][user_namespaces.7]).
 ]
 ```
 
+#### Disable new privileges
+
+[Block the user-configured process from some otherwise-allowed
+privilege escallation][no_new_privs] (e.g. via setuid programs).
+
+* **`disableNewPrivileges`** (optional, boolean) If true, set
+  [`PR_SET_NO_NEW_PRIVS`][prctl.2].
+
+##### Example
+
+```json
+"disableNewPrivileges": true
+```
+
 #### Arguments
 
 The command that the container process executes after container setup
@@ -820,6 +835,7 @@ be distributed under the GPLv3+.
 [gethostname.2]: http://man7.org/linux/man-pages/man2/gethostname.2.html
 [mount.2]: http://man7.org/linux/man-pages/man2/mount.2.html
 [pivot_root.2]: http://man7.org/linux/man-pages/man2/pivot_root.2.html
+[prctl.2]: http://man7.org/linux/man-pages/man2/prctl.2.html
 [setgid.2]: http://man7.org/linux/man-pages/man2/setgid.2.html
 [setuid.2]: http://man7.org/linux/man-pages/man2/setuid.2.html
 [syscall.2]: http://man7.org/linux/man-pages/man2/syscall.2.html
@@ -844,4 +860,5 @@ be distributed under the GPLv3+.
 [cgroups]: https://www.kernel.org/doc/Documentation/cgroup-v1/cgroups.txt
 [cgroups-unified]: https://www.kernel.org/doc/Documentation/cgroup-v2.txt
 [devpts]: https://www.kernel.org/doc/Documentation/filesystems/devpts.txt
+[no_new_privs]: https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt
 [sd_listen_fds]: http://www.freedesktop.org/software/systemd/man/sd_listen_fds.html

ccon.c

@@ -99,6 +99,7 @@ static int set_working_directory(json_t * process);
 static int set_user_group(json_t * process);
 static int _capng_name_to_capability(const char *name);
 static int set_capabilities(json_t * process);
+static int set_new_privs(json_t * process);
 static void exec_container_process(json_t * config, int *socket, int *exec_fd);
 static void exec_process(json_t * process, int dup_stdin, int *socket,
 			 int *exec_fd);
@@ -321,6 +322,7 @@ static int validate_config(json_t * config)
 	      "}"	/* }  (user) */
 	      "s?s,"	/* "cwd": "/root" */
 	      "s?[*],"	/* "capabilities": [...] */
+	      "s?b,"	/* "disableNewPrivileges": true */
 	      "s?[*],"	/* "args": [...] */
 	      "s?s,"	/* "path": "busybox" */
 	      "s?b,"	/* "host": true */
@@ -357,6 +359,7 @@ static int validate_config(json_t * config)
 	      "additionalGids",
 	    "cwd",
 	    "capabilities",
+	    "disableNewPrivileges",
 	    "args",
 	    "path",
 	    "host",
@@ -373,7 +376,8 @@ static int validate_config(json_t * config)
 
 	/*
 	 * TODO, validate:
-	 * * v0.1.0 spec doesn't contain process.host
+	 * * process.host only in v0.2.0+ configs
+	 * * process.disableNewPrivileges only in v0.4.0+ configs
 	 * * array values (process.env, hooks.pre-start, ...)
 	 */
 	return 0;
@@ -1023,6 +1027,26 @@ static int set_capabilities(json_t * process)
 	return 0;
 }
 
+static int set_new_privs(json_t * process)
+{
+	json_t *disable_new_privs;
+
+	disable_new_privs = json_object_get(process, "disableNewPrivileges");
+	if (!disable_new_privs) {
+		return 0;
+	}
+
+	if (json_boolean_value(disable_new_privs)) {
+		LOG("set no_new_privs\n");
+		if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
+			PERROR("prctl");
+			return 1;
+		}
+	}
+
+	return 0;
+}
+
 static void exec_container_process(json_t * config, int *socket, int *exec_fd)
 {
 	json_t *process;
@@ -1080,6 +1104,10 @@ static void exec_process(json_t * process, int dup_stdin, int *socket,
 		goto cleanup;
 	}
 
+	if (set_new_privs(process)) {
+		goto cleanup;
+	}
+
 	argv = json_array_of_strings_value(value);
 	if (!argv) {
 		LOG("failed to extract args\n");