From 89ccb73a22cb0130ebc354b3b1f6c51a7c72d89d Mon Sep 17 00:00:00 2001 From: Alice Frosi Date: Thu, 24 Aug 2023 11:44:10 +0200 Subject: seitan: configure uid and gid for the socket Allow setting a different uid and gid for the socket, otherwise seitan uses its own uid and gid. Signed-off-by: Alice Frosi --- seitan.c | 26 ++++++++++++++++++++++---- 1 file changed, 22 insertions(+), 4 deletions(-) diff --git a/seitan.c b/seitan.c index eff6523..fbfeb42 100644 --- a/seitan.c +++ b/seitan.c @@ -28,6 +28,7 @@ #include #include #include +#include #include #include #include @@ -48,12 +49,16 @@ static struct option options[] = { { "input", required_argument, NULL, 'i' }, { "pid", optional_argument, NULL, 'p' }, { "socket", optional_argument, NULL, 's' }, + { "socket-user", optional_argument, NULL, 'u' }, + { "socket-group", optional_argument, NULL, 'g' }, }; struct arguments { char *input_file; char *socket; int pid; + uid_t uid; + gid_t gid; }; static void usage() @@ -63,7 +68,9 @@ static void usage() "Usage:\n" "\t-i, --input:\tAction input file\n" "\t-p, --pid:\tPid of process to monitor (cannot be used together with socket)\n" - "\t-s, --socket:\tSocket to pass the seccomp notifier fd (cannot be used together with pid)\n"); + "\t-s, --socket:\tSocket to pass the seccomp notifier fd (cannot be used together with pid)\n" + "\t-u, --socket-user:\t User to set for the socket (cannot be used together with pid)\n" + "\t-g, --socket-group:\t Group to set for the socket (cannot be used together with pid)\n"); exit(EXIT_FAILURE); } @@ -73,7 +80,7 @@ static void parse(int argc, char **argv, struct arguments *arguments) int oc; if (arguments == NULL) usage(); - while ((oc = getopt_long(argc, argv, ":i:o:p:s:", options, + while ((oc = getopt_long(argc, argv, ":i:o:p:s:u:g:", options, &option_index)) != -1) { switch (oc) { case 'p': @@ -85,6 +92,12 @@ static void parse(int argc, char **argv, struct arguments *arguments) case 's': arguments->socket = optarg; break; + case 'u': + arguments->uid = atoi(optarg); + break; + case 'g': + arguments->gid = atoi(optarg); + break; default: usage(); } @@ -115,7 +128,7 @@ static void unblock_eater(int pidfd) die(" pidfd_send_signal"); } -static int create_socket(const char *path) +static int create_socket(const char *path, uid_t uid, gid_t gid) { struct sockaddr_un addr; int ret, conn; @@ -129,6 +142,9 @@ static int create_socket(const char *path) if (ret < 0) die(" bind"); + ret = lchown(path, uid, gid); + if (ret < 0) + die(" failed to the permission on the socket"); ret = listen(fd, 1); if (ret < 0) die(" listen"); @@ -193,6 +209,8 @@ int main(int argc, char **argv) int n, i; arguments.pid = -1; + arguments.uid = getuid(); + arguments.gid = getgid(); parse(argc, argv, &arguments); fd = open(arguments.input_file, O_CLOEXEC | O_RDONLY); if (read(fd, &g, sizeof(g)) != sizeof(g)) @@ -212,7 +230,7 @@ int main(int argc, char **argv) unblock_eater(pidfd); } else if (arguments.socket != NULL) { unlink(arguments.socket); - if ((fd = create_socket(arguments.socket)) < 0) + if ((fd = create_socket(arguments.socket, arguments.uid, arguments.gid)) < 0) die(" creating the socket"); if ((notifier = recvfd(fd)) < 0) die(" failed recieving the notifier fd"); -- cgit v1.2.3