From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from gandalf.ozlabs.org (mail.ozlabs.org [IPv6:2404:9400:2221:ea00::3])
	by passt.top (Postfix) with ESMTPS id 544DF5A0269
	for <passt-dev@passt.top>; Tue, 11 Oct 2022 07:40:30 +0200 (CEST)
Received: by gandalf.ozlabs.org (Postfix, from userid 1007)
	id 4Mml4507vRz4xGt; Tue, 11 Oct 2022 16:40:21 +1100 (AEDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gibson.dropbear.id.au; s=201602; t=1665466821;
	bh=iKjF9S2cTsbzf3W0Di2loJPzIbTXzsRfLACr+SolIQs=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
	b=B7ZJSIa56TBGnxSZJ3gRZW+etlnfhzQEm1l6AIhTvNB86CuPpBFSgjcbnyhd3jfjf
	 234pqAbOzlRON9RRfQWj9yRA61n/1PC5RtI0Rm90wWsQLNHOTjLlRBefFjGYNOHGeL
	 iPyE02tPCLEN6N9+H2QHU7Ox5pPxmxuyUnwd+rxc=
From: David Gibson <david@gibson.dropbear.id.au>
To: Stefano Brivio <sbrivio@redhat.com>
Subject: [PATCH 07/10] isolation: Replace drop_caps() with a version that actually does something
Date: Tue, 11 Oct 2022 16:40:15 +1100
Message-Id: <20221011054018.1449506-8-david@gibson.dropbear.id.au>
X-Mailer: git-send-email 2.37.3
In-Reply-To: <20221011054018.1449506-1-david@gibson.dropbear.id.au>
References: <20221011054018.1449506-1-david@gibson.dropbear.id.au>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Message-ID-Hash: YMFT7BDWFU2PY36EV4RNJ2XOD2IJYV4J
X-Message-ID-Hash: YMFT7BDWFU2PY36EV4RNJ2XOD2IJYV4J
X-MailFrom: dgibson@gandalf.ozlabs.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: passt-dev@passt.top, David Gibson <david@gibson.dropbear.id.au>
X-Mailman-Version: 3.3.3
Precedence: list
List-Id: Development discussion and patches for passt <passt-dev.passt.top>
Archived-At: <>
Archived-At: <https://archives.passt.top/passt-dev/20221011054018.1449506-8-david@gibson.dropbear.id.au/>
List-Archive: <>
List-Archive: <https://archives.passt.top/passt-dev/>
List-Help: <mailto:passt-dev-request@passt.top?subject=help>
List-Owner: <mailto:passt-dev-owner@passt.top>
List-Post: <mailto:passt-dev@passt.top>
List-Subscribe: <mailto:passt-dev-join@passt.top>
List-Unsubscribe: <mailto:passt-dev-leave@passt.top>

The current implementation of drop_caps() doesn't really work because it
attempts to drop capabilities from the bounding set.  hat's not the set
that really matters: the bounding set is about limiting the abilities of
otherwise things we might later exec() rather than our own capabilities.
In addition altering the bounding set requires CAP_SETPCAP which we won't
usually have.

Replace it with a new version which uses setcap(2) to drop capabilities
from the effective and permitted sets, which is what actually matters for
most purposes.  For now we leave the inheritable set alone, since we don't
want to preclude the user from passing inheritable capabilities to the
command spawed by pasta.

Correctly dropping caps reveals that we actually need CAP_SYS_ADMIN within
the userns we create/join in pasta mode, so that we can later setns() to
the netns within it.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
---
 isolation.c | 52 ++++++++++++++++++++++++++++++++++++++++++++--------
 1 file changed, 44 insertions(+), 8 deletions(-)

diff --git a/isolation.c b/isolation.c
index 4aa75e6..2468f84 100644
--- a/isolation.c
+++ b/isolation.c
@@ -86,18 +86,37 @@
 #include "passt.h"
 #include "isolation.h"
 
+#define CAP_VERSION	_LINUX_CAPABILITY_VERSION_3
+#define CAP_WORDS	_LINUX_CAPABILITY_U32S_3
+
 /**
- * drop_caps() - Drop capabilities we might have except for CAP_NET_BIND_SERVICE
+ * drop_caps_ep_except() - Drop capabilities from effective & permitted sets
+ * @keep:	Capabilities to keep
  */
-static void drop_caps(void)
+static void drop_caps_ep_except(uint64_t keep)
 {
+	struct __user_cap_header_struct hdr = {
+		.version = CAP_VERSION,
+		.pid = 0,
+	};
+	struct __user_cap_data_struct data[CAP_WORDS];
 	int i;
 
-	for (i = 0; i < 64; i++) {
-		if (i == CAP_NET_BIND_SERVICE)
-			continue;
+	if (syscall(SYS_capget, &hdr, data)) {
+		err("Couldn't get current capabilities: %s", strerror(errno));
+		exit(EXIT_FAILURE);
+	}
+
+	for (i = 0; i < CAP_WORDS; i++) {
+		uint32_t mask = keep >> (32 * i);
+
+		data[i].effective &= mask;
+		data[i].permitted &= mask;
+	}
 
-		prctl(PR_CAPBSET_DROP, i, 0, 0, 0);
+	if (syscall(SYS_capset, &hdr, data)) {
+		err("Couldn't drop capabilities: %s", strerror(errno));
+		exit(EXIT_FAILURE);
 	}
 }
 
@@ -111,7 +130,11 @@ static void drop_caps(void)
  */
 void isolate_initial(void)
 {
-	drop_caps();
+	/* We want to keep CAP_NET_BIND_SERVICE in the initial
+	 * namespace if we have it, so that we can forward low ports
+	 * into the guest/namespace
+	 */
+	drop_caps_ep_except((1UL << CAP_NET_BIND_SERVICE));
 }
 
 /**
@@ -211,6 +234,7 @@ void isolate_user(uid_t uid, gid_t gid, bool use_userns, const char *userns)
 int isolate_prefork(struct ctx *c)
 {
 	int flags = CLONE_NEWIPC | CLONE_NEWNS | CLONE_NEWUTS;
+	uint64_t ns_caps = 0;
 
 	/* If we run in foreground, we have no chance to actually move to a new
 	 * PID namespace. For passt, use CLONE_NEWPID anyway, in case somebody
@@ -251,7 +275,19 @@ int isolate_prefork(struct ctx *c)
 		return -errno;
 	}
 
-	drop_caps();	/* Relative to the new user namespace this time. */
+	/* Drop capabilites in our new userns */
+	if (c->mode == MODE_PASTA) {
+		/* Keep CAP_SYS_ADMIN, so that we can setns() to the
+		 * netns when we need to act upon it
+		 */
+		ns_caps |= 1UL << CAP_SYS_ADMIN;
+		/* Keep CAP_NET_BIND_SERVICE, so we can splice
+		 * outbound connections to low port numbers
+		 */
+		ns_caps |= 1UL << CAP_NET_BIND_SERVICE;
+	}
+
+	drop_caps_ep_except(ns_caps);
 
 	return 0;
 }
-- 
2.37.3