From: David Gibson <david@gibson.dropbear.id.au>
To: passt-dev@passt.top, Stefano Brivio <sbrivio@redhat.com>
Cc: David Gibson <david@gibson.dropbear.id.au>
Subject: [PATCH v2 10/14] nstool: Add --keep-caps option to nstool exec
Date: Thu, 6 Apr 2023 13:28:15 +1000 [thread overview]
Message-ID: <20230406032819.707441-11-david@gibson.dropbear.id.au> (raw)
In-Reply-To: <20230406032819.707441-1-david@gibson.dropbear.id.au>
This allows you to run commands within a user namespace with the
privilege that comes from owning that userns.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
---
test/nstool.c | 87 +++++++++++++++++++++++++++++++++++++++++++++------
1 file changed, 78 insertions(+), 9 deletions(-)
diff --git a/test/nstool.c b/test/nstool.c
index 5aa14b8..c224d23 100644
--- a/test/nstool.c
+++ b/test/nstool.c
@@ -19,10 +19,15 @@
#include <stdarg.h>
#include <limits.h>
#include <fcntl.h>
+#include <limits.h>
+#include <unistd.h>
#include <sys/socket.h>
#include <sys/wait.h>
+#include <sys/syscall.h>
+#include <sys/prctl.h>
#include <linux/un.h>
#include <sched.h>
+#include <linux/capability.h>
#define ARRAY_SIZE(a) ((int)(sizeof(a) / sizeof((a)[0])))
@@ -75,11 +80,13 @@ static void usage(void)
" nstool info [-pw] pid SOCK\n"
" Print information about the nstool hold process with control\n"
" socket at SOCK\n"
- " -p Print just the holder's PID as seen by the caller\n"
- " -w Retry connecting to SOCK until it is ready\n"
- " nstool exec SOCK [COMMAND [ARGS...]]\n"
+ " -p Print just the holder's PID as seen by the caller\n"
+ " -w Retry connecting to SOCK until it is ready\n"
+ " nstool exec [--keep-caps] SOCK [COMMAND [ARGS...]]\n"
" Execute command or shell in the namespaces of the nstool hold\n"
" with control socket at SOCK\n"
+ " --keep-caps Give all possible capabilities to COMMAND via\n"
+ " the ambient capability mask\n"
" nstool stop SOCK\n"
" Instruct the nstool hold with control socket at SOCK to\n"
" terminate.\n");
@@ -278,7 +285,6 @@ static void cmd_info(int argc, char *argv[])
} while (opt != -1);
if (optind != argc - 1) {
- fprintf(stderr, "B\n");
usage();
}
@@ -359,21 +365,81 @@ static void wait_for_child(pid_t pid)
die("Unexpected status for child %d\n", pid);
}
+static void caps_to_ambient(void)
+{
+ /* Use raw system calls to avoid the overly complex caps
+ * libraries. */
+ struct __user_cap_header_struct header = {
+ .version = _LINUX_CAPABILITY_VERSION_3,
+ .pid = 0,
+ };
+ struct __user_cap_data_struct payload[_LINUX_CAPABILITY_U32S_3] =
+ {{ 0 }};
+ uint64_t effective, cap;
+
+ if (syscall(SYS_capget, &header, payload) < 0)
+ die("capget(): %s\n", strerror(errno));
+
+ /* First make caps inheritable */
+ payload[0].inheritable = payload[0].permitted;
+ payload[1].inheritable = payload[1].permitted;
+
+ if (syscall(SYS_capset, &header, payload) < 0)
+ die("capset(): %s\n", strerror(errno));
+
+ effective = ((uint64_t)payload[1].effective << 32) | (uint64_t)payload[0].effective;
+
+ for (cap = 0; cap < (sizeof(effective) * 8); cap++) {
+ /* Skip non-existent caps */
+ if (prctl(PR_CAPBSET_READ, cap, 0, 0, 0) < 0)
+ continue;
+
+ if ((effective & (1 << cap))
+ && prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, cap, 0, 0) < 0)
+ die("prctl(PR_CAP_AMBIENT): %s\n", strerror(errno));
+ }
+}
+
static void cmd_exec(int argc, char *argv[])
{
+ enum {
+ OPT_EXEC_KEEPCAPS = CHAR_MAX + 1,
+ };
+ const struct option options[] = {
+ {"keep-caps", no_argument, NULL, OPT_EXEC_KEEPCAPS },
+ { 0 },
+ };
const char *shargs[] = { NULL, NULL };
const char *sockpath = argv[1];
int nfd[ARRAY_SIZE(nstypes)];
+ const char *optstring = "";
const struct ns_type *nst;
+ int ctlfd, flags, opt, rc;
const char *const *xargs;
+ bool keepcaps = false;
struct ucred peercred;
- int ctlfd, flags, rc;
const char *exe;
pid_t xpid;
- if (argc < 2)
+ do {
+ opt = getopt_long(argc, argv, optstring, options, NULL);
+
+ switch (opt) {
+ case OPT_EXEC_KEEPCAPS:
+ keepcaps = true;
+ break;
+ case -1:
+ break;
+ default:
+ usage();
+ }
+ } while (opt != -1);
+
+ if (argc < optind + 1)
usage();
+ sockpath = argv[optind];
+
ctlfd = connect_ctl(sockpath, false, NULL, &peercred);
flags = detect_namespaces(peercred.pid);
@@ -418,9 +484,9 @@ static void cmd_exec(int argc, char *argv[])
}
/* CHILD */
- if (argc > 2) {
- exe = argv[2];
- xargs = (const char * const*)(argv + 2);
+ if (argc > optind + 1) {
+ exe = argv[optind + 1];
+ xargs = (const char * const*)(argv + optind + 1);
} else {
exe = getenv("SHELL");
if (!exe)
@@ -431,6 +497,9 @@ static void cmd_exec(int argc, char *argv[])
xargs = shargs;
}
+ if (keepcaps)
+ caps_to_ambient();
+
rc = execvp(exe, (char *const *)xargs);
if (rc < 0)
die("execv() %s: %s\n", exe, strerror(errno));
--
@@ -19,10 +19,15 @@
#include <stdarg.h>
#include <limits.h>
#include <fcntl.h>
+#include <limits.h>
+#include <unistd.h>
#include <sys/socket.h>
#include <sys/wait.h>
+#include <sys/syscall.h>
+#include <sys/prctl.h>
#include <linux/un.h>
#include <sched.h>
+#include <linux/capability.h>
#define ARRAY_SIZE(a) ((int)(sizeof(a) / sizeof((a)[0])))
@@ -75,11 +80,13 @@ static void usage(void)
" nstool info [-pw] pid SOCK\n"
" Print information about the nstool hold process with control\n"
" socket at SOCK\n"
- " -p Print just the holder's PID as seen by the caller\n"
- " -w Retry connecting to SOCK until it is ready\n"
- " nstool exec SOCK [COMMAND [ARGS...]]\n"
+ " -p Print just the holder's PID as seen by the caller\n"
+ " -w Retry connecting to SOCK until it is ready\n"
+ " nstool exec [--keep-caps] SOCK [COMMAND [ARGS...]]\n"
" Execute command or shell in the namespaces of the nstool hold\n"
" with control socket at SOCK\n"
+ " --keep-caps Give all possible capabilities to COMMAND via\n"
+ " the ambient capability mask\n"
" nstool stop SOCK\n"
" Instruct the nstool hold with control socket at SOCK to\n"
" terminate.\n");
@@ -278,7 +285,6 @@ static void cmd_info(int argc, char *argv[])
} while (opt != -1);
if (optind != argc - 1) {
- fprintf(stderr, "B\n");
usage();
}
@@ -359,21 +365,81 @@ static void wait_for_child(pid_t pid)
die("Unexpected status for child %d\n", pid);
}
+static void caps_to_ambient(void)
+{
+ /* Use raw system calls to avoid the overly complex caps
+ * libraries. */
+ struct __user_cap_header_struct header = {
+ .version = _LINUX_CAPABILITY_VERSION_3,
+ .pid = 0,
+ };
+ struct __user_cap_data_struct payload[_LINUX_CAPABILITY_U32S_3] =
+ {{ 0 }};
+ uint64_t effective, cap;
+
+ if (syscall(SYS_capget, &header, payload) < 0)
+ die("capget(): %s\n", strerror(errno));
+
+ /* First make caps inheritable */
+ payload[0].inheritable = payload[0].permitted;
+ payload[1].inheritable = payload[1].permitted;
+
+ if (syscall(SYS_capset, &header, payload) < 0)
+ die("capset(): %s\n", strerror(errno));
+
+ effective = ((uint64_t)payload[1].effective << 32) | (uint64_t)payload[0].effective;
+
+ for (cap = 0; cap < (sizeof(effective) * 8); cap++) {
+ /* Skip non-existent caps */
+ if (prctl(PR_CAPBSET_READ, cap, 0, 0, 0) < 0)
+ continue;
+
+ if ((effective & (1 << cap))
+ && prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, cap, 0, 0) < 0)
+ die("prctl(PR_CAP_AMBIENT): %s\n", strerror(errno));
+ }
+}
+
static void cmd_exec(int argc, char *argv[])
{
+ enum {
+ OPT_EXEC_KEEPCAPS = CHAR_MAX + 1,
+ };
+ const struct option options[] = {
+ {"keep-caps", no_argument, NULL, OPT_EXEC_KEEPCAPS },
+ { 0 },
+ };
const char *shargs[] = { NULL, NULL };
const char *sockpath = argv[1];
int nfd[ARRAY_SIZE(nstypes)];
+ const char *optstring = "";
const struct ns_type *nst;
+ int ctlfd, flags, opt, rc;
const char *const *xargs;
+ bool keepcaps = false;
struct ucred peercred;
- int ctlfd, flags, rc;
const char *exe;
pid_t xpid;
- if (argc < 2)
+ do {
+ opt = getopt_long(argc, argv, optstring, options, NULL);
+
+ switch (opt) {
+ case OPT_EXEC_KEEPCAPS:
+ keepcaps = true;
+ break;
+ case -1:
+ break;
+ default:
+ usage();
+ }
+ } while (opt != -1);
+
+ if (argc < optind + 1)
usage();
+ sockpath = argv[optind];
+
ctlfd = connect_ctl(sockpath, false, NULL, &peercred);
flags = detect_namespaces(peercred.pid);
@@ -418,9 +484,9 @@ static void cmd_exec(int argc, char *argv[])
}
/* CHILD */
- if (argc > 2) {
- exe = argv[2];
- xargs = (const char * const*)(argv + 2);
+ if (argc > optind + 1) {
+ exe = argv[optind + 1];
+ xargs = (const char * const*)(argv + optind + 1);
} else {
exe = getenv("SHELL");
if (!exe)
@@ -431,6 +497,9 @@ static void cmd_exec(int argc, char *argv[])
xargs = shargs;
}
+ if (keepcaps)
+ caps_to_ambient();
+
rc = execvp(exe, (char *const *)xargs);
if (rc < 0)
die("execv() %s: %s\n", exe, strerror(errno));
--
2.39.2
next prev parent reply other threads:[~2023-04-06 3:28 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-04-06 3:28 [PATCH v2 00/14] Improved tool for testing across multiple namespaces David Gibson
2023-04-06 3:28 ` [PATCH v2 01/14] nstool: Rename nsholder to nstool David Gibson
2023-04-06 3:28 ` [PATCH v2 02/14] nstool: Reverse parameters " David Gibson
2023-04-06 3:28 ` [PATCH v2 03/14] nstool: Move description of its operation modes from comment to usage David Gibson
2023-04-06 3:28 ` [PATCH v2 04/14] nstool: Split some command line parsing and socket setup to subcommands David Gibson
2023-04-06 3:28 ` [PATCH v2 05/14] nstool: Replace "pid" subcommand with "info" subcommand David Gibson
2023-04-06 3:28 ` [PATCH v2 06/14] nstool: Detect what namespaces target is in David Gibson
2023-04-06 3:28 ` [PATCH v2 07/14] nstool: Add magic number to advertized information David Gibson
2023-04-06 3:28 ` [PATCH v2 08/14] nstool: Helpers to iterate through namespace types David Gibson
2023-04-06 3:28 ` [PATCH v2 09/14] nstool: Add nstool exec command to execute commands in an nstool namespace David Gibson
2023-04-06 3:28 ` David Gibson [this message]
2023-04-06 3:28 ` [PATCH v2 11/14] test: Initialise ${TRACE} properly David Gibson
2023-04-06 3:28 ` [PATCH v2 12/14] test: Use "nstool exec" to slightly simplify tests David Gibson
2023-04-06 3:28 ` [PATCH v2 13/14] nstool: Advertise the holder's cwd (in its mountns) across the socket David Gibson
2023-04-06 3:28 ` [PATCH v2 14/14] nstool: Enter holder's cwd when changing mount ns with nstool exec David Gibson
2023-04-07 23:12 ` [PATCH v2 00/14] Improved tool for testing across multiple namespaces Stefano Brivio
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230406032819.707441-11-david@gibson.dropbear.id.au \
--to=david@gibson.dropbear.id.au \
--cc=passt-dev@passt.top \
--cc=sbrivio@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://passt.top/passt
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for IMAP folder(s).