* [PATCH] host/rootfs: Set no_new_privs in PID 1
@ 2025-12-05 16:01 Demi Marie Obenour
2025-12-08 21:19 ` Alyssa Ross
2025-12-08 23:23 ` Alyssa Ross
0 siblings, 2 replies; 3+ messages in thread
From: Demi Marie Obenour @ 2025-12-05 16:01 UTC (permalink / raw)
To: Spectrum OS Development; +Cc: Alyssa Ross, Demi Marie Obenour
This prevents any program on the host from gaining privileges via
execve(), ever. There are currently no such programs on the host so
this should be a no-op for now.
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
---
host/rootfs/image/etc/init | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/host/rootfs/image/etc/init b/host/rootfs/image/etc/init
index 4085fa55545e7309004967e443e47fc2b82b0663..e9938acec866045962a8ead096d199cbd3792469 100755
--- a/host/rootfs/image/etc/init
+++ b/host/rootfs/image/etc/init
@@ -2,4 +2,4 @@
# SPDX-License-Identifier: EUPL-1.2+
# SPDX-FileCopyrightText: 2022 Alyssa Ross <hi@alyssa.is>
-/bin/s6-linux-init -c /etc/s6-linux-init -s /run/param -- $@
+/usr/bin/setpriv --no-new-privs -- /bin/s6-linux-init -c /etc/s6-linux-init -s /run/param -- $@
---
base-commit: 92e219e7c08c479d216a46d2736ea9d229ff034d
change-id: 20251205-no-new-privs-2f22088c0736
--
Sincerely,
Demi Marie Obenour (she/her/hers)
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH] host/rootfs: Set no_new_privs in PID 1
2025-12-05 16:01 [PATCH] host/rootfs: Set no_new_privs in PID 1 Demi Marie Obenour
@ 2025-12-08 21:19 ` Alyssa Ross
2025-12-08 23:23 ` Alyssa Ross
1 sibling, 0 replies; 3+ messages in thread
From: Alyssa Ross @ 2025-12-08 21:19 UTC (permalink / raw)
To: Demi Marie Obenour; +Cc: Spectrum OS Development
[-- Attachment #1: Type: text/plain, Size: 1045 bytes --]
Demi Marie Obenour <demiobenour@gmail.com> writes:
> This prevents any program on the host from gaining privileges via
> execve(), ever. There are currently no such programs on the host so
> this should be a no-op for now.
>
> Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
> ---
> host/rootfs/image/etc/init | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/host/rootfs/image/etc/init b/host/rootfs/image/etc/init
> index 4085fa55545e7309004967e443e47fc2b82b0663..e9938acec866045962a8ead096d199cbd3792469 100755
> --- a/host/rootfs/image/etc/init
> +++ b/host/rootfs/image/etc/init
> @@ -2,4 +2,4 @@
> # SPDX-License-Identifier: EUPL-1.2+
> # SPDX-FileCopyrightText: 2022 Alyssa Ross <hi@alyssa.is>
>
> -/bin/s6-linux-init -c /etc/s6-linux-init -s /run/param -- $@
> +/usr/bin/setpriv --no-new-privs -- /bin/s6-linux-init -c /etc/s6-linux-init -s /run/param -- $@
Looks good, but it's a standard chainloader interface so should be on
its own line. I'll fix that when I commit.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 227 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] host/rootfs: Set no_new_privs in PID 1
2025-12-05 16:01 [PATCH] host/rootfs: Set no_new_privs in PID 1 Demi Marie Obenour
2025-12-08 21:19 ` Alyssa Ross
@ 2025-12-08 23:23 ` Alyssa Ross
1 sibling, 0 replies; 3+ messages in thread
From: Alyssa Ross @ 2025-12-08 23:23 UTC (permalink / raw)
To: Demi Marie Obenour, Spectrum OS Development
Cc: Alyssa Ross, Demi Marie Obenour
This patch has been committed as fe9303b76eeeeaff162c053624707d33b224fc85,
which can be viewed online at
https://spectrum-os.org/git/spectrum/commit/?id=fe9303b76eeeeaff162c053624707d33b224fc85.
This is an automated message. Send comments/questions/requests to:
Alyssa Ross <hi@alyssa.is>
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2025-12-08 23:23 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-12-05 16:01 [PATCH] host/rootfs: Set no_new_privs in PID 1 Demi Marie Obenour
2025-12-08 21:19 ` Alyssa Ross
2025-12-08 23:23 ` Alyssa Ross
Code repositories for project(s) associated with this public inbox
https://spectrum-os.org/git/crosvm
https://spectrum-os.org/git/doc
https://spectrum-os.org/git/mktuntap
https://spectrum-os.org/git/nixpkgs
https://spectrum-os.org/git/spectrum
https://spectrum-os.org/git/ucspi-vsock
https://spectrum-os.org/git/www
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).