From: Stefano Brivio <sbrivio@redhat.com>
To: David Gibson <david@gibson.dropbear.id.au>
Cc: passt-dev@passt.top
Subject: Re: [PATCH 08/10] isolation: Prevent any child processes gaining capabilities
Date: Thu, 13 Oct 2022 11:50:51 +0200 [thread overview]
Message-ID: <20221013115051.6f48f50a@elisabeth> (raw)
In-Reply-To: <Y0fbbs+s2dApsHtN@yekko>
On Thu, 13 Oct 2022 20:33:34 +1100
David Gibson <david@gibson.dropbear.id.au> wrote:
> On Thu, Oct 13, 2022 at 04:17:30AM +0200, Stefano Brivio wrote:
> > On Tue, 11 Oct 2022 16:40:16 +1100
> > David Gibson <david@gibson.dropbear.id.au> wrote:
> >
> > > We drop our own capabilities, but it's possible that processes we exec()
> > > could gain extra privilege via file capabilities. It shouldn't be possible
> > > for us to exec() anyway due to seccomp() and our filesystem isolation. But
> > > just in case, zero the bounding and inheritable capability sets to prevent
> > > any such child from gainin privilege.
> > >
> > > Note that we do this *after* spawning the pasta shell/command (if any),
> > > because we do want the user to be able to give that privilege if they want.
> > >
> > > Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
> > > ---
> > > isolation.c | 56 +++++++++++++++++++++++++++++++++++++++++++++++++++++
> > > 1 file changed, 56 insertions(+)
> > >
> > > diff --git a/isolation.c b/isolation.c
> > > index 2468f84..e1a024d 100644
> > > --- a/isolation.c
> > > +++ b/isolation.c
> > > @@ -120,6 +120,61 @@ static void drop_caps_ep_except(uint64_t keep)
> > > }
> > > }
> > >
> > > +/**
> > > + * clamp_caps() - Prevent any children from gaining caps
> >
> > "clamp" doesn't sound very specific or clear. caps_drop_inherit_bound()
> > would actually tell me what the function does, but it's a bit of a
> > mouthful in comparison. I'm fine with both, really, but if you have a
> > better idea...
>
> Yeah, I couldn't think of something that was both brief and specific,
> so I went with brief.
>
> > > + *
> > > + * This drops all capabilities from both the inheritable and the
> > > + * bounding set. This means that any exec()ed processes can't gain
> > > + * capabilities, even if they have file capabilities which would grant
> > > + * them. We shouldn't ever exec() in any case, but this provides an
> > > + * additional layer of protection. Executing this requires
> > > + * CAP_SETPCAP, which we will have within our userns.
> > > + *
> > > + * Note that dropping capabilites from the bounding set limits
> > > + * exec()ed processes, but does not remove them from the effective or
> > > + * permitted sets, so it doesn't reduce our own capabilities.
> > > + */
> > > +static void clamp_caps(void)
> > > +{
> > > + struct __user_cap_header_struct hdr = {
> > > + .version = CAP_VERSION,
> > > + .pid = 0,
> > > + };
> > > + struct __user_cap_data_struct data[CAP_WORDS];
> >
> > For consistency, I'd move this before hdr.
>
> Ok.
>
> > > + int i;
> > > +
> > > + for (i = 0; i < 64; i++) {
> > > + /* Some errors can be ignored:
> > > + * - EINVAL, we'll get this for all values in 0..63
> > > + * that are not actually allocated caps
> > > + * - EPERM, we'll get this if we don't have
> > > + * CAP_SETPCAP, which can happen if using
> > > + * --netns-only. We don't need CAP_SETPCAP for
> > > + * normal operation, so carry on without it.
> > > + */
> > > + if (prctl(PR_CAPBSET_DROP, i, 0, 0, 0) &&
> > > + errno != EINVAL && errno != EPERM) {
> > > + err("Couldn't drop cap %i from bounding set: %s",
> > > + i, strerror(errno));
> > > + exit(EXIT_FAILURE);
> > > + }
> > > + }
> > > +
> > > + if (syscall(SYS_capget, &hdr, data)) {
> > > + err("Couldn't get current capabilities: %s", strerror(errno));
> > > + exit(EXIT_FAILURE);
> > > + }
> > > +
> > > + for (i = 0; i < CAP_WORDS; i++)
> > > + data[i].inheritable = 0;
> >
> > Any specific reason why? Initialisers can have variable sizes to some
> > extent, but if there's a reason why it can't be done, perhaps that
> > would warrant a comment here.
>
> Why what? We're not trying to alter the permitted or effective sets
> here, so we're doing a capget() first, zeroing the inheritable field,
> then setting it back again.
Oops, never mind, of course, I missed the capget() for a moment.
--
Stefano
next prev parent reply other threads:[~2022-10-13 9:50 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-10-11 5:40 [PATCH 00/10] Fixes and cleanups for capability handling David Gibson
2022-10-11 5:40 ` [PATCH 01/10] test: Move slower tests to end of test run David Gibson
2022-10-11 5:40 ` [PATCH 02/10] pasta: More general way of starting spawned shell as a login shell David Gibson
2022-10-13 2:16 ` Stefano Brivio
2022-10-13 8:22 ` David Gibson
2022-10-13 9:48 ` Stefano Brivio
2022-10-13 23:24 ` David Gibson
2022-10-11 5:40 ` [PATCH 03/10] pasta_start_ns() always ends in parent context David Gibson
2022-10-11 5:40 ` [PATCH 04/10] Remove unhelpful drop_caps() call in pasta_start_ns() David Gibson
2022-10-11 5:40 ` [PATCH 05/10] Clarify various self-isolation steps David Gibson
2022-10-13 2:17 ` Stefano Brivio
2022-10-13 8:31 ` David Gibson
2022-10-13 12:49 ` Stefano Brivio
2022-10-13 23:25 ` David Gibson
2022-10-11 5:40 ` [PATCH 06/10] Replace FWRITE with a function David Gibson
2022-10-13 2:17 ` Stefano Brivio
2022-10-13 8:51 ` David Gibson
2022-10-11 5:40 ` [PATCH 07/10] isolation: Replace drop_caps() with a version that actually does something David Gibson
2022-10-13 2:18 ` Stefano Brivio
2022-10-13 9:44 ` David Gibson
2022-10-13 4:01 ` Stefano Brivio
2022-10-13 13:08 ` Stefano Brivio
2022-10-13 16:37 ` Stefano Brivio
2022-10-13 23:42 ` David Gibson
2022-10-11 5:40 ` [PATCH 08/10] isolation: Prevent any child processes gaining capabilities David Gibson
2022-10-13 2:17 ` Stefano Brivio
2022-10-13 9:33 ` David Gibson
2022-10-13 9:50 ` Stefano Brivio [this message]
2022-10-11 5:40 ` [PATCH 09/10] isolation: Only configure UID/GID mappings in userns when spawning shell David Gibson
2022-10-13 2:18 ` Stefano Brivio
2022-10-13 9:36 ` David Gibson
2022-10-11 5:40 ` [PATCH 10/10] Rename pasta_setup_ns() to pasta_spawn_cmd() David Gibson
2022-10-13 2:44 ` [PATCH 00/10] Fixes and cleanups for capability handling Stefano Brivio
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221013115051.6f48f50a@elisabeth \
--to=sbrivio@redhat.com \
--cc=david@gibson.dropbear.id.au \
--cc=passt-dev@passt.top \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://passt.top/passt
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for IMAP folder(s).