daemon: enable chroot jail

The chroot jail can be enabled now that the protocol instances don't need to connect to the zebra AF_UNIX socket anymore. Signed-off-by: Renato Westphal <[email protected]>
holo-routing · Dec 21, 2023 · 6490c38 · 6490c38
1 parent 191d48b
commit 6490c38
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/holo-daemon/src/main.rs b/holo-daemon/src/main.rs
@@ -120,8 +120,8 @@ fn privdrop(user: &str) -> nix::Result<()> {
 
     // Drop to unprivileged user and group.
     if let Some(user) = User::from_name(user)? {
-        //nix::unistd::chroot(&user.dir)?;
-        //nix::unistd::chdir("/")?;
+        nix::unistd::chroot(&user.dir)?;
+        nix::unistd::chdir("/")?;
         nix::unistd::setgroups(&[user.gid])?;
         nix::unistd::setresgid(user.gid, user.gid, user.gid)?;
         nix::unistd::setresuid(user.uid, user.uid, user.uid)?;