From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from gandalf.ozlabs.org (gandalf.ozlabs.org [150.107.74.76]) by passt.top (Postfix) with ESMTPS id 76F1F5A0265 for ; Thu, 13 Oct 2022 02:50:59 +0200 (CEST) Received: by gandalf.ozlabs.org (Postfix, from userid 1007) id 4MnrYC4lZqz4xGG; Thu, 13 Oct 2022 11:50:55 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gibson.dropbear.id.au; s=201602; t=1665622255; bh=bkyMubKYZSLVSqDmjGPOuVkFQdE5zvlYmGId1ZhX/C4=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=R5ogUo7irr0YaYkR5VfrfyD9SPt6LHpWh6SotlzP+5B6oF9P6ICbvSYSkAvGu3oWB o0Ggpy6Cjw9JTmonCFDmJbu2vl6B19AlZ9rZLWwnGGCOzl3oa8Eo9D8T3sc9zNr2QR 7Lgdr4TfbffIs9GGi9CdgSgH5IvixEgH+jXaEfLI= Date: Thu, 13 Oct 2022 11:34:04 +1100 From: David Gibson To: Stefano Brivio Subject: Re: Alas for CAP_NET_BIND_SERVICE Message-ID: References: <20221012075432.09e33625@elisabeth> <20221012124707.70755587@elisabeth> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="Cxb2GK1UT0RCXgWx" Content-Disposition: inline In-Reply-To: <20221012124707.70755587@elisabeth> Message-ID-Hash: 6VRQJ55QWGDY3MNA26G33BDOYZGCU6A3 X-Message-ID-Hash: 6VRQJ55QWGDY3MNA26G33BDOYZGCU6A3 X-MailFrom: dgibson@gandalf.ozlabs.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: passt-dev@passt.top X-Mailman-Version: 3.3.3 Precedence: list List-Id: Development discussion and patches for passt Archived-At: <> Archived-At: List-Archive: <> List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: --Cxb2GK1UT0RCXgWx Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Oct 12, 2022 at 12:47:07PM +0200, Stefano Brivio wrote: > On Wed, 12 Oct 2022 20:31:20 +1100 > David Gibson wrote: >=20 > > On Wed, Oct 12, 2022 at 07:54:32AM +0200, Stefano Brivio wrote: > > > Hi David, > > >=20 > > > On Wed, 12 Oct 2022 13:55:02 +1100 > > > David Gibson wrote: > > > =20 > > > > Hi Stefano, > > > >=20 > > > > I've looked deeper into why giving passt/pasta CAP_NET_BIND_SERVICE > > > > isn't working, and I'm afraid I have bad news. =20 > > >=20 > > > Thanks for the investigation. > > > =20 > > > > We lose CAP_NET_BIND_SERVICE in the initial namespace as soon as we > > > > unshare() or setns() into the isolated namespace, and this appears = to > > > > be intended behaviour. From user_namespaces(7), in the Capabilitie= s section: > > > >=20 > > > > The child process created by clone(2) with the CLONE_NEWUSER fl= ag > > > > starts out with a complete set of capabilities in the new user > > > > namespace. Likewise, a process that creates a new user namespa= ce > > > > using unshare(2) or joins an existing user namespace using > > > > setns(2) gains a full set of capabilities in that namespace. *= **On > > > > the other hand, that process has no capabilities in the parent = (in > > > > the case of clone(2)) or previous (in the case of unshare(2) and > > > > setns(2)) user namespace, even if the new namespace is created = or > > > > joined by the root user (i.e., a process with user ID 0 in the > > > > root namespace).*** > > > >=20 > > > > Emphasis (***) mine. Basically, despite the way it's phrased in ma= ny > > > > places, processes don't have an independent set of capabilities in > > > > each userns, they only have a set of capabilities in their current > > > > userns. Any capabilities in other namespaces are implied in a pret= ty > > > > much all or nothing way - if the process's UID (the real, init ns o= ne) > > > > owns the userns (or one of its ancestors), it gets all caps, otherw= ise > > > > none. cap_capable() has the specific logic in the kernel. =20 > > >=20 > > > Right, I missed this. > > >=20 > > > For a moment, I wondered about ambient capabilities, but those would > > > only have an effect on an execve(), not on a clone(), I guess. =20 > >=20 > > Well, yes, but it doesn't really make any difference in any case. All > > ambient caps can do is be another way to get things into the permitted > > set. If that happens before the unshare() then we still lose them on > > unshare(). If it happens after the unshare(), then it's just giving > > us caps within the namespace, which isn't what we need. > >=20 > > > > So, using CAP_NET_BIND_SERVICE isn't compatible with isolating > > > > ourselves in our own userns. At the very least "auto" inbound > > > > forwarding of low ports is pretty much off the cards. > > > >=20 > > > > For forwarding of specific low ports, we could delay our entry into > > > > the new userns until we've set up the listening sockets, although it > > > > does mean rolling back some of the simplification we gained from the > > > > new-style userns handling. =20 > > >=20 > > > If I understand correctly, the biggest hurdle would be: > > >=20 > > > 1. we detach namespaces > > >=20 > > > 2. only then we can finalise any missing bit of addressing and routing > > > configuration (relevant for pasta) > > >=20 > > > 3. we bind ports as we parse configuration options, but we need > > > addressing to be fully configured for this > > >=20 > > > Referring to your latest patchset (which I'm still reviewing), I guess > > > that implies a further split of isolate_user() (it's great to have a > > > name for that, finally!), right? =20 > >=20 > > Uh.. something like that, I haven't looked at the details. As we did > > before my userns cleanup, we'd probably need to repeatedly enter the > > userns as well as the netns to operate upon it, staying in the initial > > userns, with our initial caps until sandbox()/isolate_prefork() or > > thereabouts. > >=20 > > > > Or, we could abandon CAP_NET_BIND_SERVICE, and recommend the > > > > net.ipv4.ip_unprivileged_port_start sysctl as the only way to handle > > > > low ports in passt. I do see a fair bit of logic in that approach: > > > > passt has no meaningful way to limit what users do with the low por= ts > > > > it allows them (indirectly) to bind to, giving passt > > > > CAP_NET_BIND_SERVICE is pretty much equivalent to giving any process > > > > which can invoke passt CAP_NET_BIND_SERVICE. =20 > > >=20 > > > I also see the general point, even though if file capabilities are > > > used, I guess the equivalence doesn't really hold. =20 > >=20 > > Uh.. I don't follow. It's exactly file capabilities which make this > > equivalence. If the passt binary has cap_net_bind_service=3Dep, you > > can, as an unprivileged user, take any server, stick it in a namespace > > and use pasta to effectively bind it to a low port in the init > > namespace. >=20 > I actually meant with passt but... even for pasta, this depends on the > decision of whether we drop capabilities for the spawned process. If we > decide we don't, one day, then it's not equivalent. No, from a security perspective it pretty much is still equivalent. You can start your own namespace where you have full capabilities, run the server in there, then use pasta to translate your cap_net_bind_service within to cap_net_bind_service on the host. Or just run the server on a high port and tell pasta to connect a low port to it. > It would be equivalent if we just inherited capabilities from the > parent as opposed to file capabilities -- that's what I meant. >=20 > I think it's a bit early to decide to drop those, though. Right now > pasta isn't really used as a stand-alone tool (even though I > actually do that, I find it very convenient also for totally unrelated > purposes). >=20 > Should we see some use cases, then we could make a more informed > decision. >=20 > > You can do the same thing with passt, though it's fiddlier > > (you'd need a shim to translate qemu socket protocol before plugging > > it into the server). >=20 > Oh, you mean running pasta plus a shim plus qemu? Because with passt I > don't understand how you'd pass that kind of stuff over AF_UNIX... No qemu necessary. Make your bogus server, but instead of directly listen()ing on a low port, have it connect to a Unix socket and wait for SYN packets to a low port in qemu protocol. Then use passt to turn your Unix socket into a real listen()ing socket on the host. > > > And perhaps we > > > should at least recommend that as a preferred way. > > >=20 > > > What still perplexes me is: somebody gives passt CAP_NET_BIND_SERVICE, > > > and due to something that's slightly more than an implementation deta= il, > > > it won't be able to bind to low ports, which is the very reason for t= hat > > > capability. That sounds highly counterintuitive. =20 > >=20 > > I guess it is in the sense that the reason for this wasn't obvious to > > either of us initially. However it makes sense to me now that I've > > looked at it. >=20 > No, no, in the sense that it makes sense to you and now to me as well, > as you explained it to me. And yet it I find it hard to imagine that it > would naturally make sense to users, in these terms: >=20 > - we offer a program that provides network connectivity to qemu >=20 > - it also includes port forwarding functionality: it binds to > configured ports and maps them to the guest >=20 > - it can't bind to any port: it doesn't run as root, and Linux prevents > non-root processes from binding to ports lower than 1024, which is a > well-known fact -- at least by default (lesser known fact) >=20 > - somewhat in between on the scale of general knowledge, lies > CAP_NET_BIND_SERVICE: it allows non-root processes to bind to low > ports >=20 > ...but not passt. For very valid reasons, indeed, but those will need > to be explained over and over again. Yeah, I guess so. > > We use a userns for two reasons: 1) to control a netns > > and 2) to isolate ourselves for security. We use the same path and > > the same userns for both, but they're logically different reasons. > >=20 > > If (1) was the only reason for the userns we could handle this pretty > > easily: we'd only enter the userns transiently when we need to > > manipulate it, just like we do with the netns. That way the main > > thread would retain CAP_NET_BIND_SERVICE in the original ns. > >=20 > > For (2), we're specifically choosing to isolate ourselves: that is to > > give up privilege from our original position. It's not surprising > > there's some degree of granularity to how we can do that, and the deal > > is that we can't give up our membership in the original userns without > > also giving up our enhanced capabilities in that userns. > >=20 > > I don't think giving up (2) is a price worth paying for this. >=20 > Absolutely, I agree, I wouldn't either. >=20 > However, he could give users the choice without compromising (2) at > all, by binding to low ports early (without automatic detection, sure). > And, somewhat importantly, by not handling any data from them. >=20 > We could even defer the listen() calls if there's any value in doing so > (is there some? I can't think of anything). >=20 > Actually, I'm thinking of an easier way to break the circular > dependency between isolation steps and port configuration I outlined > earlier, without undoing your cleanups at all. >=20 > We currently need to process port configuration in a second step for > two reasons: >=20 > - we might bind ports in the detached namespace (-T, -U) >=20 > - one between IPv4 and IPv6 support could be administratively disabled > (operationally, who cares, we'll just fail to bind if that's the > case) >=20 > ...but for init/host facing ports (now: "inbound"), we don't care about > the detached namespace, and we could simply call conf_ports() for -t > and -u in a second step after the main loop. Sure, if we continue like > this, we'll end up with O(n=B2) option handling, but right now it > doesn't look that bad to me. Ah, yes, that could work. Of course, this does mean moving some relatively complex code out of at least one layer of isolation, which carries some risks. > I would give it a shot after I'm done reviewing your patchset (it > should also look clearer after that) and re-spinning my recent ones, > unless you see something wrong with it. --=20 David Gibson | I'll have my music baroque, and my code david AT gibson.dropbear.id.au | minimalist, thank you. NOT _the_ _other_ | _way_ _around_! http://www.ozlabs.org/~dgibson --Cxb2GK1UT0RCXgWx Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEoULxWu4/Ws0dB+XtgypY4gEwYSIFAmNHXMsACgkQgypY4gEw YSKmuw//WXF1x6wWh8vd8/FfauPxqiULIIS0buwLn2Hc+dJUJO9oIrvnX0q2Hnf7 tJhwWvxBEGRcZkShONgzczWMZ2xhvu7mlYa0QhLirrgpOGe+o9KuZvn44321mvkg Mvrkhaizg+/Y6NInUdcUbMCUh2d9o4VNiQ9tHn7okm3zc20v/l7eoegfldriRUaV 6ojYbBNkxH8pHSImgux/BuQTwC99aPZkGLAyHaSR7njwzsBTLlfUQ9b9SUqcSLqf GN0R29+iRPPwM1sBI/76MghoKMW+cz1eDobz6CdD5Y9QvIjX7uor+f9e09pUr+Ad Jr7jj/EhIKgWY5jJ+hI+vLNdfEkUV9yemuiCxVfOmqqD4LX5TxlRFMr18V2WFCwV HEZakBA/iIxEzqGzwxsyFUJ8D8P6BHqhhqbl/9PraFt6IF1U1S41iHc0pEoeV1u9 nnWI7ZrDN+2mqc+U7SbFpxP/dgPc/cZf2UrnVYH1997BuiN6p8sUkHejDJcw9yzf p3Y04zJlf7tV9TrlFHfeyDvIgEFWaXjzCcbGs1xBwLk70ETnsjQeTBqI47HkPTKM +DSTx8mf0Tp4O+RU6WSuthrHUTi9fHxvgzUb+YsMLNE+1nzBUcfokt6mGzg9C0bt sTQ166Ukg1jiiNttYBr5J/qVOdCuEBHBGMu38zx3WACGJ9XPEII= =VH7i -----END PGP SIGNATURE----- --Cxb2GK1UT0RCXgWx--