From 27096b766c88dd01fe7477e9a418280ee84ee087 Mon Sep 17 00:00:00 2001 From: Roy Olav Purser Date: Fri, 9 Feb 2024 21:33:57 +0100 Subject: [PATCH] drop capabilities --- src/vpn.c | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/src/vpn.c b/src/vpn.c index 5cac397..6e2ff5c 100644 --- a/src/vpn.c +++ b/src/vpn.c @@ -1,5 +1,6 @@ #define _GNU_SOURCE +#include #include #include #include @@ -8,12 +9,6 @@ #include int main() { - char shell[128] = {0}; - - struct passwd *pw = getpwent(); - strlcpy(shell, pw->pw_shell, sizeof(shell)); - printf("%s\n", shell); - endpwent(); int fd = open("/run/vpn/net", 0); @@ -30,6 +25,19 @@ int main() { perror("open /run/vpn/net"); return 1; } + + if(prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_CLEAR_ALL, 0, 0, 0) == -1) { + perror("prctl"); + return 1; + } + + char shell[128] = {0}; + + struct passwd *pw = getpwent(); + strlcpy(shell, pw->pw_shell, sizeof(shell)); + printf("%s\n", shell); + endpwent(); + execl(shell, shell, NULL); perror(NULL); return 0;