squid: do not use setuid/setgid and similar system calls

Otherwise seccomp will terminate it on modern Android OS versions.
2020-08-07 22:21:21 +03:00 · 2020-08-07 22:21:21 +03:00 · 6a41d7740d
commit 6a41d7740d
parent 2745042f62
1 changed files with 50 additions and 0 deletions
--- a/packages/squid/no-priv-drop.patch
+++ b/packages/squid/no-priv-drop.patch
@ -0,0 +1,50 @@
+diff -uNr squid-4.12/src/tools.cc squid-4.12.mod/src/tools.cc
+--- squid-4.12/src/tools.cc	2020-06-07 18:42:16.000000000 +0300
+++ squid-4.12.mod/src/tools.cc	2020-08-07 22:20:30.241392700 +0300
+@@ -503,6 +503,9 @@
+ void
+ leave_suid(void)
+ {
+#ifdef __ANDROID__
+    return;
+#endif
+     debugs(21, 3, "leave_suid: PID " << getpid() << " called");
+ 
+     if (Config.effectiveGroup) {
+@@ -539,6 +542,7 @@
+         }
+     }
+ 
+#ifndef __ANDROID__
+ #if HAVE_SETRESUID
+     if (setresuid(Config2.effectiveUserID, Config2.effectiveUserID, 0) < 0) {
+         const auto xerrno = errno;
+@@ -560,6 +564,7 @@
+ #endif
+ 
+     restoreCapabilities(true);
+#endif
+ 
+ #if HAVE_PRCTL && defined(PR_SET_DUMPABLE)
+     /* Set Linux DUMPABLE flag */
+@@ -574,6 +579,10 @@
+ void
+ enter_suid(void)
+ {
+#ifdef __ANDROID__
+    return;
+#endif
+
+     debugs(21, 3, "enter_suid: PID " << getpid() << " taking root privileges");
+ #if HAVE_SETRESUID
+     if (setresuid((uid_t)-1, 0, (uid_t)-1) < 0) {
+@@ -600,6 +609,9 @@
+ void
+ no_suid(void)
+ {
+#ifdef __ANDROID__
+    return;
+#endif
+     uid_t uid;
+     leave_suid();
+     uid = geteuid();