1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
|
'\" t
.\" Title: priv_wrapper
.\" Author: Samba Team
.\" Generator: Asciidoctor 2.0.17
.\" Date: 2022-09-14
.\" Manual: \ \&
.\" Source: \ \&
.\" Language: English
.\"
.TH "PRIV_WRAPPER" "1" "2022-09-14" "\ \&" "\ \&"
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.ss \n[.ss] 0
.nh
.ad l
.de URL
\fI\\$2\fP <\\$1>\\$3
..
.als MTO URL
.if \n[.g] \{\
. mso www.tmac
. am URL
. ad l
. .
. am MTO
. ad l
. .
. LINKSTYLE blue R < >
.\}
.SH "NAME"
priv_wrapper \- A library to disable resource limits and other priviledge dropping.
.SH "SYNOPSIS"
.sp
LD_PRELOAD=libpriv_wrapper.so PRIV_WRAPPER=1 [PRIV_WRAPPER_CHROOT_DISABLE=1] [PRIV_WRAPPER_PRCTL_DISABLE=<options>] [PRIV_WRAPPER_SETRLIMIT_DISABLE=<options>]
.SH "DESCRIPTION"
.sp
priv_wrapper aims to help running processes which are dropping privileges or are
restricting resources in test environments.
It can disable chroot, prctl, pledge and setrlmit system calls. A disabled call always
succeeds (i.e. returns 0) and does nothing.
The system call pledge exists only on OpenBSD.
.SH "ENVIRONMENT VARIABLES"
.sp
\fBPRIV_WRAPPER\fP
.RS 4
This variable activates priv_wrapper when set to \fI1\fP.
.RE
.sp
\fBPRIV_WRAPPER_DISABLE_DEEPBIND\fP
.RS 4
This allows you to disable deep binding in priv_wrapper.
This is useful for running valgrind tools or sanitizers like (address, undefined, thread).
.RE
.sp
\fBPRIV_WRAPPER_CHROOT_DISABLE\fP
.RS 4
If this is set to \fI1\fP then chroot() system call will be disabled.
.RE
.sp
\fBPRIV_WRAPPER_PRCTL_DISABLE\fP
.RS 4
prctl calls can be disabled using this environment variable. You can either disable all
calls using PRIV_WRAPPER_PRCTL_DISABLE=ALL or special options using e.g.
PRIV_WRAPPER_PRCTL_DISABLE=PR_SET_SECCOMP|PR_SET_NO_NEW_PRIVS
.RE
.sp
Supported options are:
.sp
PR_SET_SECCOMP
PR_SET_NO_NEW_PRIVS
PR_SET_DUMPABLE
.sp
\fBPRIV_WRAPPER_SETRLIMIT_DISABLE\fP
.RS 4
Either all resource limits can be disabled using PRIV_WRAPPER_SETRLIMIT_DISABLE=ALL or
you can pick specific resources using e.g:
.RE
.sp
PRIV_WRAPPER_SETRLIMIT_DISABLE=RLIMIT_STACK|RLIMIT_CORE
.sp
Supported options are:
.sp
RLIMIT_CPU
RLIMIT_FSIZE
RLIMIT_DATA
RLIMIT_STACK
RLIMIT_CORE
RLIMIT_RSS
RLIMIT_NOFILE
RLIMIT_AS
RLIMIT_NPROC
RLIMIT_MEMLOCK
RLIMIT_LOCKS
RLIMIT_SIGPENDING
RLIMIT_MSGQUEUE
RLIMIT_NICE
RLIMIT_RTPRIO
RLIMIT_RTTIME
RLIMIT_NLIMITS
.sp
\fBPRIV_WRAPPER_PLEDGE_DISABLE\fP
.RS 4
If this is set to \fI1\fP then pledge() system call will be disabled.
.RE
.sp
\fBPRIV_WRAPPER_DEBUGLEVEL\fP
.RS 4
If you need to see what is going on in priv_wrapper itself or try to find a
bug, you can enable logging support in priv_wrapper if you built it with
debug symbols.
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
. sp -1
. IP \(bu 2.3
.\}
0 = ERROR
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
. sp -1
. IP \(bu 2.3
.\}
1 = WARNING
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
. sp -1
. IP \(bu 2.3
.\}
2 = DEBUG
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
. sp -1
. IP \(bu 2.3
.\}
3 = TRACE
.RE
.RE
.SH "EXAMPLE"
.sp
LD_PRELOAD=libpriv_wrapper.so PRIV_WRAPPER=1 PRIV_WRAPPER_PRCTL_DISABLE="PR_SET_SECCOMP|PR_SET_NO_NEW_PRIVS"
.sp
LD_PRELOAD=libpriv_wrapper.so PRIV_WRAPPER=1 PRIV_WRAPPER_CHROOT_DISABLE=1 PRIV_WRAPPER_PRCTL_DISABLE=ALL PRIV_WRAPPER_SETRLIMIT_DISABLE="RLIMIT_CPU|RLIMIT_DATA|RLIMIT_NLIMITS"
.SH "AUTHOR"
.sp
Samba Team
|
