From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from gandalf.ozlabs.org (gandalf.ozlabs.org [150.107.74.76])
	by passt.top (Postfix) with ESMTPS id 44CC15A026A
	for <passt-dev@passt.top>; Fri, 14 Oct 2022 06:25:45 +0200 (CEST)
Received: by gandalf.ozlabs.org (Postfix, from userid 1007)
	id 4MpYGW3szTz4xGx; Fri, 14 Oct 2022 15:25:39 +1100 (AEDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gibson.dropbear.id.au; s=201602; t=1665721539;
	bh=sgNEGr1VTFu5ByCJccJynWxrzPvfIho7aUqy4AoIBGA=;
	h=Date:From:To:Cc:Subject:References:In-Reply-To:From;
	b=m9ElNVXMKoGFdgNesM0jmUTKnrOxxAGRYR5stNQBoUOEpx3JXHlJ+aV8Xsv7V1iyO
	 70X86F+fYOJqzgY0K2DskWQLt0DIk1GOZ9DkoCVWh35NFHJjnPjAcPThUexsDp3NVo
	 swxxOvRMyOuFwj7eM9VFIJyrmHfuaLfkdRjuOqQU=
Date: Fri, 14 Oct 2022 14:20:44 +1100
From: David Gibson <david@gibson.dropbear.id.au>
To: Stefano Brivio <sbrivio@redhat.com>
Subject: Re: [PATCH] conf: Bind inbound ports with CAP_NET_BIND_SERVICE
 before isolate_user()
Message-ID: <Y0jVjAzy1YtaJDXC@yekko>
References: <20221013163406.3727136-1-sbrivio@redhat.com>
 <Y0jTmgw3g/ilLG+h@yekko>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature"; boundary="1pduNx02a3OWV4q9"
Content-Disposition: inline
In-Reply-To: <Y0jTmgw3g/ilLG+h@yekko>
Message-ID-Hash: 2ST4FWCMZ5AWUDWZFXF7UKTPUJM3R73N
X-Message-ID-Hash: 2ST4FWCMZ5AWUDWZFXF7UKTPUJM3R73N
X-MailFrom: dgibson@gandalf.ozlabs.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: passt-dev@passt.top
X-Mailman-Version: 3.3.3
Precedence: list
List-Id: Development discussion and patches for passt <passt-dev.passt.top>
Archived-At: <>
Archived-At: <https://archives.passt.top/passt-dev/Y0jVjAzy1YtaJDXC@yekko/>
List-Archive: <>
List-Archive: <https://archives.passt.top/passt-dev/>
List-Help: <mailto:passt-dev-request@passt.top?subject=help>
List-Owner: <mailto:passt-dev-owner@passt.top>
List-Post: <mailto:passt-dev@passt.top>
List-Subscribe: <mailto:passt-dev-join@passt.top>
List-Unsubscribe: <mailto:passt-dev-leave@passt.top>


--1pduNx02a3OWV4q9
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Fri, Oct 14, 2022 at 02:12:26PM +1100, David Gibson wrote:
> On Thu, Oct 13, 2022 at 06:34:06PM +0200, Stefano Brivio wrote:
> > Even if CAP_NET_BIND_SERVICE is granted, we'll lose the capability in
> > the target user namespace as we isolate the process, which means
> > we're unable to bind to low ports at that point.
> >=20
> > Bind inbound ports, and only those, before isolate_user(). Keep the
> > handling of outbound ports (for pasta mode only) after the setup of
> > the namespace, because that's where we'll bind them.
> >=20
> > To this end, initialise the netlink socket for the init namespace
> > before isolate_user() as well, as we actually need to know the
> > addresses of the upstream interface before binding ports, in case
> > they're not explicitly passed by the user.
> >=20
> > As we now call nl_sock_init() twice, checking its return code from
> > conf() twice looks a bit heavy: make it exit(), instead, as we
> > can't do much if we don't have netlink sockets.
> >=20
> > While at it:
> >=20
> > - move the v4_only && v6_only options check just after the first
> >   option processing loop, as this is more strictly related to
> >   option parsing proper
> >=20
> > - update the man page, explaining that CAP_NET_BIND_SERVICE is
> >   *not* the preferred way to bind ports, because passt and pasta
> >   can be abused to allow other processes to make effective usage
> >   of it. Add a note about the recommended sysctl instead
> >=20
> > Reported-by: David Gibson <david@gibson.dropbear.id.au>
> > Signed-off-by: Stefano Brivio <sbrivio@redhat.com>

Sorry, sent the previous reply before I'd finished.

> > -If the port forwarding configuration requires binding to port numbers =
lower than
> > -1024, \fBpasst\fR and \fBpasta\fR will try to bind to them, but will f=
ail if not
> > -running as root, or without the \fICAP_NET_BIND_SERVICE\fR Linux capab=
ility, see
> > -\fBservices\fR(5) and \fBcapabilities\fR(7). To grant the
> > -\fICAP_NET_BIND_SERVICE\fR capability to passt, you can issue, as root:
> > +If the port forwarding configuration requires binding to ports with nu=
mbers
> > +lower than 1024, \fBpasst\fR and \fBpasta\fR will try to bind to them,=
 but will
> > +fail, unless, either:
> > +
> > +.IP \(bu 2
> > +the \fIsys.net.ipv4.ip_unprivileged_port_start\fR sysctl is set to the=
 number
> > +of the lowest port \fBpasst\fR and \fBpasta\fR need. For example, as r=
oot:
> > +
> > +.nf
> > +	sysctl -w net.ipv4.ip_unprivileged_port_start=3D443
> > +.fi
> > +
> > +\fBNote\fR: this is the recommended way of enabling \fBpasst\fR and \f=
Bpasta\fR
> > +to bind to ports with numbers below 1024.
> > +
> > +.IP \(bu
> > +or the \fICAP_NET_BIND_SERVICE\fR Linux capability is granted, see
> > +\fBservices\fR(5) and \fBcapabilities\fR(7).
> > +
> > +This is, in general, \fBnot the recommended way\fR, because \fBpasst\f=
R and
> > +\fBpasta\fR might be used as vector to effectively use this capability=
 from
> > +another process.
> > +
> > +However, if your environment is sufficiently controlled by an LSM (Lin=
ux
> > +Security Module) such as \fIAppArmor\fR, \fISELinux\fR, \fISmack\fR or
> > +\fITOMOYO\fR, and no other processes can interact in such a way in vir=
tue of
> > +this, granting this capability to \fBpasst\fR and \fBpasta\fR only can
> > +effectively prevent other processes from utilising it.
> > +
> > +Note that this will not work for automatic detection and forwarding of=
 ports
> > +with \fBpasta\fR, because \fBpasta\fR will relinquish this capability =
at
> > +runtime.
> > +
> > +To grant this capability, you can issue, as root:
> > +
> > +.nf
> > +	setcap 'cap_net_bind_service=3D+ep' $(which passt)
> > +.fi
> > =20
> > -.RS
> > -setcap 'cap_net_bind_service=3D+ep' $(which passt)
> >  .RE

These likely won't be enough, since for most users the caps on the
passt.avx2 binary are the ones that will matter.

--=20
David Gibson			| I'll have my music baroque, and my code
david AT gibson.dropbear.id.au	| minimalist, thank you.  NOT _the_ _other_
				| _way_ _around_!
http://www.ozlabs.org/~dgibson

--1pduNx02a3OWV4q9
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEoULxWu4/Ws0dB+XtgypY4gEwYSIFAmNI1YUACgkQgypY4gEw
YSLcnBAAxXPekdGR8y1z6wq/uRXv2bjTDuWLYJ8H8BRlrIuhEuW8WrNmw4p3l/8a
a164YYZmb7m8qYhHTa/h5SpkWLcrEYkjnHCnj1GAyoXj54KMGHdFD910lwFSjZin
VDIim29pDKnz1hEIx9Zh/gnwvYTRtGVX2EuVpUWc2kxxDZG/iXGJFv6qehAiwG7G
4/1Yu8/O5XZqilz61koKUta4Fg7g0d8LUwIrzZiPVbKfwiNFY3/dTt5+WrTyOnbc
XnJv1vIcspr4oscQ8qBgCg5usSgyks2xRZabPDJJ77UHD3ZqxQ42VHMQfP8ybm/n
9WPN5H2d9aaVa1OdQGcR/pErRA5CjeuQoYtcwHgETtBd1yTvA06M/LmJXHJbD0aF
3BJ6jLeyU96twePicx1zilZi9gpEcNvUBoZ2CQujL+RFUxzAUKRICadPFmu3kJF2
qGFyREB5rY8zaIUvkWY7eU6Kjxsh5tzzn+SI1/0Hdg1HYg730qyBIDLUN2on5CDH
1n7bWU/wzOaUAU5q6bxlfdY50lNOjqC/XdQhroYRH3hhChS6zihLwoIjZaamIpKy
U4LU80+SddsnfMSuTkFUoF92GargHk95IJLhQOjdBVQx1bdr0K/qY6sciaqW6Wtv
1Wl9thul7s+R22b28SkfGFltqXFXMxSXgaBYidftNsa9YhJBfG4=
=Mnyt
-----END PGP SIGNATURE-----

--1pduNx02a3OWV4q9--