def set_caps(*args):
return _prctl.set_caps(*_parse_caps(True, *args))
print('starting worker servers...')
if not os.path.exists('/var/run/cryptomato'):
os.mkdir('/var/run/cryptomato')
os.chmod('/var/run/cryptomato', 0o1777)
pid1 = os.fork()
if not pid1:
prctl.set_pdeathsig(signal.SIGKILL)
# clear some CAP_INHERITABLE
caps_to_keep = {
prctl.CAP_SETUID,
prctl.CAP_SETGID,
prctl.CAP_CHOWN,
prctl.CAP_KILL,
}
caps_to_clear = set(range(1024)).difference(caps_to_keep)
_prctl.set_caps([], [], [], list(caps_to_clear), list(caps_to_clear), list(caps_to_clear))
os.setsid()
os.execl('/usr/bin/python3', '/usr/bin/python3', '-u', '-m', 'cryptomato_worker.worker', 'sandbox_server')
sys.exit(0)
pid2 = os.fork()
if not pid2:
prctl.set_pdeathsig(signal.SIGKILL)
# clear all CAP_INHERITABLE
_prctl.set_caps([], [], [], [], [], list(range(1024)))
os.setsid()
os.setgroups([SANDBOX_GID, SANDBOX_GID + 1, 1000])
os.setresgid(SANDBOX_GID + 1, SANDBOX_GID + 1, SANDBOX_GID + 1)
os.setresuid(SANDBOX_UID + 1, SANDBOX_UID + 1, SANDBOX_UID + 1)
os.execl('/usr/bin/python3', '/usr/bin/python3', '-u', '-m', 'cryptomato_worker.worker', 'misc_server')
sys.exit(0)