From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from gandalf.ozlabs.org (mail.ozlabs.org [IPv6:2404:9400:2221:ea00::3]) by passt.top (Postfix) with ESMTPS id E11A15A0271 for ; Thu, 6 Apr 2023 05:28:27 +0200 (CEST) Received: by gandalf.ozlabs.org (Postfix, from userid 1007) id 4PsRm56tX6z4xFn; Thu, 6 Apr 2023 13:28:21 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gibson.dropbear.id.au; s=201602; t=1680751701; bh=nUgrIA0fsm/A6PwXIfPliFsUWY3CDdrFoRojT1CsS4k=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=iCdZUF/vuctoHqZBs3Dc2nzvE5R+BV/BLJiIhzajE9lf/qlkiwVTKBp3sTSuX7OPy RMn/y+bJWlAvO3Un15Znz8hJCzYPDKo0sxPK8ZNI3WcaMNULPjw/TQo14G32GhKMgD nwUKPXgDQ5hNzHokp7Wjr58ebNBX5LKxV9eLThMk= From: David Gibson To: passt-dev@passt.top, Stefano Brivio Subject: [PATCH v2 10/14] nstool: Add --keep-caps option to nstool exec Date: Thu, 6 Apr 2023 13:28:15 +1000 Message-Id: <20230406032819.707441-11-david@gibson.dropbear.id.au> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20230406032819.707441-1-david@gibson.dropbear.id.au> References: <20230406032819.707441-1-david@gibson.dropbear.id.au> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-ID-Hash: XJ7Z7GPV4B7Z3AMIMDDQTDDPBVBEPD7I X-Message-ID-Hash: XJ7Z7GPV4B7Z3AMIMDDQTDDPBVBEPD7I X-MailFrom: dgibson@gandalf.ozlabs.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: David Gibson X-Mailman-Version: 3.3.8 Precedence: list List-Id: Development discussion and patches for passt Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: This allows you to run commands within a user namespace with the privilege that comes from owning that userns. Signed-off-by: David Gibson --- test/nstool.c | 87 +++++++++++++++++++++++++++++++++++++++++++++------ 1 file changed, 78 insertions(+), 9 deletions(-) diff --git a/test/nstool.c b/test/nstool.c index 5aa14b8..c224d23 100644 --- a/test/nstool.c +++ b/test/nstool.c @@ -19,10 +19,15 @@ #include #include #include +#include +#include #include #include +#include +#include #include #include +#include #define ARRAY_SIZE(a) ((int)(sizeof(a) / sizeof((a)[0]))) @@ -75,11 +80,13 @@ static void usage(void) " nstool info [-pw] pid SOCK\n" " Print information about the nstool hold process with control\n" " socket at SOCK\n" - " -p Print just the holder's PID as seen by the caller\n" - " -w Retry connecting to SOCK until it is ready\n" - " nstool exec SOCK [COMMAND [ARGS...]]\n" + " -p Print just the holder's PID as seen by the caller\n" + " -w Retry connecting to SOCK until it is ready\n" + " nstool exec [--keep-caps] SOCK [COMMAND [ARGS...]]\n" " Execute command or shell in the namespaces of the nstool hold\n" " with control socket at SOCK\n" + " --keep-caps Give all possible capabilities to COMMAND via\n" + " the ambient capability mask\n" " nstool stop SOCK\n" " Instruct the nstool hold with control socket at SOCK to\n" " terminate.\n"); @@ -278,7 +285,6 @@ static void cmd_info(int argc, char *argv[]) } while (opt != -1); if (optind != argc - 1) { - fprintf(stderr, "B\n"); usage(); } @@ -359,21 +365,81 @@ static void wait_for_child(pid_t pid) die("Unexpected status for child %d\n", pid); } +static void caps_to_ambient(void) +{ + /* Use raw system calls to avoid the overly complex caps + * libraries. */ + struct __user_cap_header_struct header = { + .version = _LINUX_CAPABILITY_VERSION_3, + .pid = 0, + }; + struct __user_cap_data_struct payload[_LINUX_CAPABILITY_U32S_3] = + {{ 0 }}; + uint64_t effective, cap; + + if (syscall(SYS_capget, &header, payload) < 0) + die("capget(): %s\n", strerror(errno)); + + /* First make caps inheritable */ + payload[0].inheritable = payload[0].permitted; + payload[1].inheritable = payload[1].permitted; + + if (syscall(SYS_capset, &header, payload) < 0) + die("capset(): %s\n", strerror(errno)); + + effective = ((uint64_t)payload[1].effective << 32) | (uint64_t)payload[0].effective; + + for (cap = 0; cap < (sizeof(effective) * 8); cap++) { + /* Skip non-existent caps */ + if (prctl(PR_CAPBSET_READ, cap, 0, 0, 0) < 0) + continue; + + if ((effective & (1 << cap)) + && prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, cap, 0, 0) < 0) + die("prctl(PR_CAP_AMBIENT): %s\n", strerror(errno)); + } +} + static void cmd_exec(int argc, char *argv[]) { + enum { + OPT_EXEC_KEEPCAPS = CHAR_MAX + 1, + }; + const struct option options[] = { + {"keep-caps", no_argument, NULL, OPT_EXEC_KEEPCAPS }, + { 0 }, + }; const char *shargs[] = { NULL, NULL }; const char *sockpath = argv[1]; int nfd[ARRAY_SIZE(nstypes)]; + const char *optstring = ""; const struct ns_type *nst; + int ctlfd, flags, opt, rc; const char *const *xargs; + bool keepcaps = false; struct ucred peercred; - int ctlfd, flags, rc; const char *exe; pid_t xpid; - if (argc < 2) + do { + opt = getopt_long(argc, argv, optstring, options, NULL); + + switch (opt) { + case OPT_EXEC_KEEPCAPS: + keepcaps = true; + break; + case -1: + break; + default: + usage(); + } + } while (opt != -1); + + if (argc < optind + 1) usage(); + sockpath = argv[optind]; + ctlfd = connect_ctl(sockpath, false, NULL, &peercred); flags = detect_namespaces(peercred.pid); @@ -418,9 +484,9 @@ static void cmd_exec(int argc, char *argv[]) } /* CHILD */ - if (argc > 2) { - exe = argv[2]; - xargs = (const char * const*)(argv + 2); + if (argc > optind + 1) { + exe = argv[optind + 1]; + xargs = (const char * const*)(argv + optind + 1); } else { exe = getenv("SHELL"); if (!exe) @@ -431,6 +497,9 @@ static void cmd_exec(int argc, char *argv[]) xargs = shargs; } + if (keepcaps) + caps_to_ambient(); + rc = execvp(exe, (char *const *)xargs); if (rc < 0) die("execv() %s: %s\n", exe, strerror(errno)); -- 2.39.2