From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from imap.gmail.com [173.194.76.109] by localhost with POP3 (fetchmail-6.3.26) for (single-drop); Wed, 22 May 2024 23:00:08 +0200 (CEST) Received: by 2002:a05:6a11:2489:b0:55f:c3c0:ed08 with SMTP id sg9csp910663pxb; Wed, 22 May 2024 13:59:28 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCVYh0CSY4aUgWosb+RxbT4SC8UlAbFlxuWl/7gp8MaSwIfs4ufsZupSDK6emnNWRoXF9BmgU+zUWbWmohtgxtflLO0Vu9Ds6Ao= X-Google-Smtp-Source: AGHT+IEKXxnXoj2ipI7lHjjgL5bmIpM7cTIce4ZpjVbioCHUZWgjWUvVGNGB4yPq5/3BgeG/fNAJ X-Received: by 2002:a05:620a:f07:b0:792:bb15:152c with SMTP id af79cd13be357-7949935bd6dmr367574385a.0.1716411568536; Wed, 22 May 2024 13:59:28 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1716411568; cv=none; d=google.com; s=arc-20160816; b=NPjTbir5DqMDy+VsnJ2TVzdodjEnd7Yap+QNq67EBfQsMU6AyT5LxP16kwcl6sbqdr KNIguN7Notu1kRbJZEULSTBSsOVVh+8qWaHYwttmtd/MaewBBp07Y8mQoWqUU9NgNsuz YFctCUOqC4rvgrjwL5psGV0lqTJLQr8okyg+0hlTHZdWWLOFmP+8WBIEldDYHvtmiorU CdWBMy4a9qtdRdaSrMh6f57OpTHBkhP83MjVEPS0+Vf1LImCb1IljEf1MuNIe5IMN7wr 5JNXDq1PYcB6wRAxqEIW/FGpi01C+1efwsedjBb38rEj/4vf4/i//KOWz1TvzYVLXTyI Viyw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:list-unsubscribe:list-subscribe:list-post :list-owner:list-help:list-archive:list-archive:archived-at :archived-at:list-id:precedence:cc:message-id-hash:mime-version :references:in-reply-to:message-id:date:subject:to:from:delivered-to; bh=qabAjoCwbVO14aoU/+pT0mQA1oVVWToy5xqWBtd2g1k=; fh=Sda5+ix8pPMDNzAK4mfqRvxwOV3J+P0OHYKuDzXzUCA=; b=QXZLKRsAbWleZ3TrYvc+HtspdX2wWkZc9+lMND24LxDMAuAb3kcFhcKKzZLa0ISxsC oHmCWfBTKqAhkdu5H9DTsfLpw3Gc8fcGDVdYh2TDJHBNcDLPZdgMcCn1eQwa5nC4Rnfk HS8fWm1Y8apGKM1IWv0sdDMkFG3w84v4hBLGh0XRZ7STIwENGGrjmahCgYJ8Yvc9caoD c8JRbe6XWzM9zmym8vZFweR9Q8ZYYv/L6CLqVHebXJZ+j2Gz9ReVsVCTnyFnlcQFH5ev fgyaTGFBXL1K3bsTfoa2S8qXd+qOjBPRZCFH1Y9/nBokpf90N4jyJN3OcDeNE+4CSJs0 FwCQ==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of passt-dev-bounces@passt.top designates 88.198.0.164 as permitted sender) smtp.mailfrom=passt-dev-bounces@passt.top Return-Path: Received: from us-smtp-inbound-delivery-1.mimecast.com (us-smtp-delivery-1.mimecast.com. [205.139.110.120]) by mx.google.com with ESMTPS id af79cd13be357-79319085443si594272885a.385.2024.05.22.13.59.28 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 22 May 2024 13:59:28 -0700 (PDT) Received-SPF: pass (google.com: domain of passt-dev-bounces@passt.top designates 88.198.0.164 as permitted sender) client-ip=88.198.0.164; Authentication-Results: mx.google.com; spf=pass (google.com: domain of passt-dev-bounces@passt.top designates 88.198.0.164 as permitted sender) smtp.mailfrom=passt-dev-bounces@passt.top Received: from mx-prod-mc-02.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-376-1SawVvyKM12cSOlO8Rvbhg-1; Wed, 22 May 2024 16:59:26 -0400 X-MC-Unique: 1SawVvyKM12cSOlO8Rvbhg-1 Received: from mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-02.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id C294A19560A3 for ; Wed, 22 May 2024 20:59:25 +0000 (UTC) Received: by mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) id B2B4A3001D34; Wed, 22 May 2024 20:59:25 +0000 (UTC) Received: from mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.58]) by mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id AFE843001D21 for ; Wed, 22 May 2024 20:59:25 +0000 (UTC) Received: from us-smtp-inbound-delivery-1.mimecast.com (us-smtp-delivery-1.mimecast.com [170.10.128.131]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 4BB351955E82 for ; Wed, 22 May 2024 20:59:25 +0000 (UTC) Received: from passt.top (passt.top [88.198.0.164]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-41-LVkgIncvMHSgRiDV2kHCcg-1; Wed, 22 May 2024 16:59:20 -0400 X-MC-Unique: LVkgIncvMHSgRiDV2kHCcg-1 Received: from [127.0.0.1] (localhost.localdomain [127.0.0.1]) by passt.top (Postfix) with ESMTP id 0EC0D5A031D; Wed, 22 May 2024 22:59:15 +0200 (CEST) Received: by passt.top (Postfix, from userid 1000) id C2E825A030C; Wed, 22 May 2024 22:59:11 +0200 (CEST) From: Stefano Brivio To: passt-dev@passt.top Subject: [PATCH 7/8] conf, passt, tap: Open socket and PID files before switching UID/GID Date: Wed, 22 May 2024 22:59:10 +0200 Message-ID: <20240522205911.261325-8-sbrivio@redhat.com> In-Reply-To: <20240522205911.261325-1-sbrivio@redhat.com> References: <20240522205911.261325-1-sbrivio@redhat.com> MIME-Version: 1.0 Message-ID-Hash: T37UZIJ6OY2ZD5DRNQJXYUOGOSS4KG6I X-Message-ID-Hash: T37UZIJ6OY2ZD5DRNQJXYUOGOSS4KG6I X-MailFrom: sbrivio@passt.top X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: David Gibson , "'Richard W . M . Jones'" , Minxi Hou X-Mailman-Version: 3.3.8 Precedence: list List-Id: Development discussion and patches for passt Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection Definition;Similar Internal Domain=false;Similar Monitored External Domain=false;Custom External Domain=false;Mimecast External Domain=false;Newly Observed Domain=false;Internal User Name=false;Custom Display Name List=false;Reply-to Address Mismatch=false;Targeted Threat Dictionary=false;Mimecast Threat Dictionary=false;Custom Threat Dictionary=false X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.4 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="US-ASCII"; x-default=true Otherwise, if the user runs us as root, and gives us paths that are only accessible by root, we'll fail to open them, which might in turn encourage users to change permissions or ownerships: definitely a bad idea in terms of security. Reported-by: Minxi Hou Reported-by: Richard W.M. Jones Signed-off-by: Stefano Brivio --- conf.c | 17 ++++++++++++++++- passt.c | 10 ++++------ passt.h | 4 ++++ tap.c | 7 +++---- tap.h | 1 + 5 files changed, 28 insertions(+), 11 deletions(-) diff --git a/conf.c b/conf.c index 2e0d909..f62a5eb 100644 --- a/conf.c +++ b/conf.c @@ -38,6 +38,7 @@ #include "ip.h" #include "passt.h" #include "netlink.h" +#include "tap.h" #include "udp.h" #include "tcp.h" #include "pasta.h" @@ -1093,7 +1094,7 @@ static void conf_ugid(char *runas, uid_t *uid, gid_t = *gid) =09=09return; =20 =09/* ...otherwise use nobody:nobody */ -=09warn("Started as root. Changing to nobody..."); +=09warn("Started as root, will change to nobody."); =09{ #ifndef GLIBC_NO_STATIC_NSS =09=09const struct passwd *pw; @@ -1113,6 +1114,18 @@ static void conf_ugid(char *runas, uid_t *uid, gid_t= *gid) =09} } =20 +/** + * conf_open_files() - Open files as requested by configuration + * @c:=09=09Execution context + */ +static void conf_open_files(struct ctx *c) +{ +=09if (c->mode =3D=3D MODE_PASST && c->fd_tap =3D=3D -1) +=09=09c->fd_tap_listen =3D tap_sock_unix_open(c->sock_path); + +=09c->pidfile_fd =3D pidfile_open(c->pid_file); +} + /** * conf() - Process command-line arguments and set configuration * @c:=09=09Execution context @@ -1712,6 +1725,8 @@ void conf(struct ctx *c, int argc, char **argv) =09else if (optind !=3D argc) =09=09die("Extra non-option argument: %s", argv[optind]); =20 +=09conf_open_files(c);=09/* Before any possible setuid() / setgid() */ + =09isolate_user(uid, gid, !netns_only, userns, c->mode); =20 =09if (c->pasta_conf_ns) diff --git a/passt.c b/passt.c index e2446fc..a8c4cd3 100644 --- a/passt.c +++ b/passt.c @@ -199,9 +199,9 @@ void exit_handler(int signal) */ int main(int argc, char **argv) { -=09int nfds, i, devnull_fd =3D -1, pidfile_fd; =09struct epoll_event events[EPOLL_EVENTS]; =09char *log_name, argv0[PATH_MAX], *name; +=09int nfds, i, devnull_fd =3D -1; =09struct ctx c =3D { 0 }; =09struct rlimit limit; =09struct timespec now; @@ -211,7 +211,7 @@ int main(int argc, char **argv) =20 =09isolate_initial(); =20 -=09c.pasta_netns_fd =3D c.fd_tap =3D -1; +=09c.pasta_netns_fd =3D c.fd_tap =3D c.pidfile_fd =3D -1; =20 =09sigemptyset(&sa.sa_mask); =09sa.sa_flags =3D 0; @@ -299,8 +299,6 @@ int main(int argc, char **argv) =09=09} =09} =20 -=09pidfile_fd =3D pidfile_open(c.pid_file); - =09if (isolate_prefork(&c)) =09=09die("Failed to sandbox process, exiting"); =20 @@ -308,9 +306,9 @@ int main(int argc, char **argv) =09=09__openlog(log_name, 0, LOG_DAEMON); =20 =09if (!c.foreground) -=09=09__daemon(pidfile_fd, devnull_fd); +=09=09__daemon(c.pidfile_fd, devnull_fd); =09else -=09=09pidfile_write(pidfile_fd, getpid()); +=09=09pidfile_write(c.pidfile_fd, getpid()); =20 =09if (pasta_child_pid) =09=09kill(pasta_child_pid, SIGUSR1); diff --git a/passt.h b/passt.h index bc58d64..3e50612 100644 --- a/passt.h +++ b/passt.h @@ -185,6 +185,7 @@ struct ip6_ctx { * @sock_path:=09=09Path for UNIX domain socket * @pcap:=09=09Path for packet capture file * @pid_file:=09=09Path to PID file, empty string if not configured + * @pidfile_fd:=09=09File descriptor for PID file, -1 if none * @pasta_netns_fd:=09File descriptor for network namespace in pasta mode * @no_netns_quit:=09In pasta mode, don't exit if fs-bound namespace is go= ne * @netns_base:=09=09Base name for fs-bound namespace, if any, in pasta mo= de @@ -234,7 +235,10 @@ struct ctx { =09int nofile; =09char sock_path[UNIX_PATH_MAX]; =09char pcap[PATH_MAX]; + =09char pid_file[PATH_MAX]; +=09int pidfile_fd; + =09int one_off; =20 =09int pasta_netns_fd; diff --git a/tap.c b/tap.c index c9f580e..2ea0849 100644 --- a/tap.c +++ b/tap.c @@ -1100,7 +1100,7 @@ restart: * * Return: socket descriptor on success, won't return on failure */ -static int tap_sock_unix_open(char *sock_path) +int tap_sock_unix_open(char *sock_path) { =09int fd =3D socket(AF_UNIX, SOCK_STREAM, 0); =09struct sockaddr_un addr =3D { @@ -1144,7 +1144,7 @@ static int tap_sock_unix_open(char *sock_path) =09if (i =3D=3D UNIX_SOCK_MAX) =09=09die("UNIX socket bind: %s", strerror(errno)); =20 -=09info("UNIX domain socket bound at %s\n", addr.sun_path); +=09info("UNIX domain socket bound at %s", addr.sun_path); =09if (!*sock_path) =09=09memcpy(sock_path, addr.sun_path, UNIX_PATH_MAX); =20 @@ -1167,7 +1167,7 @@ static void tap_sock_unix_init(struct ctx *c) =09ev.data.u64 =3D ref.u64; =09epoll_ctl(c->epollfd, EPOLL_CTL_ADD, c->fd_tap_listen, &ev); =20 -=09info("You can now start qemu (>=3D 7.2, with commit 13c6be96618c):"); +=09info("\nYou can now start qemu (>=3D 7.2, with commit 13c6be96618c):"); =09info(" kvm ... -device virtio-net-pci,netdev=3Ds -netdev stream,id= =3Ds,server=3Doff,addr.type=3Dunix,addr.path=3D%s", =09 c->sock_path); =09info("or qrap, for earlier qemu versions:"); @@ -1318,7 +1318,6 @@ void tap_sock_init(struct ctx *c) =09} =20 =09if (c->mode =3D=3D MODE_PASST) { -=09=09c->fd_tap_listen =3D tap_sock_unix_open(c->sock_path); =09=09tap_sock_unix_init(c); =20 =09=09/* In passt mode, we don't know the guest's MAC address until it diff --git a/tap.h b/tap.h index d146d2f..2285a87 100644 --- a/tap.h +++ b/tap.h @@ -68,6 +68,7 @@ void tap_handler_pasta(struct ctx *c, uint32_t events, =09=09 const struct timespec *now); void tap_handler_passt(struct ctx *c, uint32_t events, =09=09 const struct timespec *now); +int tap_sock_unix_open(char *sock_path); void tap_sock_init(struct ctx *c); =20 #endif /* TAP_H */ --=20 2.43.0