drop capabilities

2024-02-09 21:33:57 +01:00 · 2024-02-09 21:33:57 +01:00 · 27096b766c
commit 27096b766c
parent 2627bad25d
1 changed files with 14 additions and 6 deletions
--- a/src/vpn.c
+++ b/src/vpn.c
@ -1,5 +1,6 @@
 #define _GNU_SOURCE

+#include <sys/prctl.h>
 #include <fcntl.h>
 #include <pwd.h>
 #include <sched.h>
@ -8,12 +9,6 @@
 #include <unistd.h>

 int main() {
-    char shell[128] = {0};
-
-    struct passwd *pw = getpwent();
-    strlcpy(shell, pw->pw_shell, sizeof(shell));
-    printf("%s\n", shell);
-    endpwent();

    int fd = open("/run/vpn/net", 0);

@ -30,6 +25,19 @@ int main() {
        perror("open /run/vpn/net");
        return 1;
    }
+
+    if(prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_CLEAR_ALL, 0, 0, 0) == -1) {
+        perror("prctl");
+        return 1;
+    }
+    
+    char shell[128] = {0};
+
+    struct passwd *pw = getpwent();
+    strlcpy(shell, pw->pw_shell, sizeof(shell));
+    printf("%s\n", shell);
+    endpwent();
+    
    execl(shell, shell, NULL);
    perror(NULL);
    return 0;