536feffc68
Writing the gid_map is already non-fatal, but the actual sandbox process still tries to setresgid() to nogroup (usually 65534). This however fails, because if user namespace sandboxing is present, the namespace doesn't have CAP_SETGID at this point. Fortunately, the effective GID is already 65534, so we just need to check whether the target gid matches and only(!) setresgid() if it doesn't. So if someone would run a SUID version of the sandbox, it would still work nonetheless without a negative impact on security. Fixes #5730, thanks to @wizeman for reporting and initial debugging. Signed-off-by: aszlig <aszlig@redmoonstudios.org> |
||
|---|---|---|
| .. | ||
| source | ||
| browser.nix | ||
| common.nix | ||
| default.nix | ||
| plugins.nix | ||
| sandbox.nix | ||
| update.sh | ||