nixos/security/wrappers: read capabilities off /proc/self/exe directly

/proc/self/exe is a "fake" symlink. When it's opened, it always opens the actual file that was execve()d in this process, even if the file was deleted or renamed; if the file is no longer accessible from the current chroot/mount namespace it will at the very worst fail and never open the wrong file. Thus, we can make a much simpler argument that we're reading capabilities off the correct file after this change (and that argument doesn't rely on things such as protected_hardlinks being enabled, or no users being able to write to /run/wrappers, or the verification that the path readlink returns starts with /run/wrappers/).
2022-11-14 14:45:36 +01:00 · 2022-11-14 14:45:36 +01:00 · 11ca4dcbb8
commit 11ca4dcbb8
parent ec36e0218f
1 changed files with 1 additions and 1 deletions
--- a/nixos/modules/security/wrappers/wrapper.c
+++ b/nixos/modules/security/wrappers/wrapper.c
@ -236,7 +236,7 @@ int main(int argc, char **argv) {
    // Read the capabilities set on the wrapper and raise them in to
    // the ambient set so the program we're wrapping receives the
    // capabilities too!
-    if (make_caps_ambient(self_path) != 0) {
+    if (make_caps_ambient("/proc/self/exe") != 0) {
        free(self_path);
        return 1;
    }