From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from gandalf.ozlabs.org (gandalf.ozlabs.org [150.107.74.76])
	by passt.top (Postfix) with ESMTPS id 2DD6B5A027F
	for <passt-dev@passt.top>; Mon, 22 May 2023 08:01:50 +0200 (CEST)
Received: by gandalf.ozlabs.org (Postfix, from userid 1007)
	id 4QPmzt4Nn1z4x4L; Mon, 22 May 2023 16:01:46 +1000 (AEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gibson.dropbear.id.au; s=201602; t=1684735306;
	bh=reo3LUaMU/pT0Hj/XXYQ6wIZW5GPpFf00aIX4gMpwmY=;
	h=Date:From:To:Cc:Subject:References:In-Reply-To:From;
	b=XjRINalvmDtN3aDWn+glbxj0NFYcYIKxLAYLXSra9GyoJ40bXwHq915eivMshytnG
	 csbmfJCW2pLDyMF9CywnRuJ4i5Vvs4yXQXEQhXFjgp4R3q/96tDzaum1JKTEuhpRjd
	 Q7BOkyRoI2AxsWr+z+Ka0vH6ywjBmbvHTwcpXjyg=
Date: Mon, 22 May 2023 15:48:13 +1000
From: David Gibson <david@gibson.dropbear.id.au>
To: Stefano Brivio <sbrivio@redhat.com>
Subject: Re: [PATCH 3/3] isolation: Initially Keep CAP_SETFCAP if running as
 UID 0 in non-init
Message-ID: <ZGsCHcJxbOaci3xD@yekko>
References: <20230521234158.2769867-1-sbrivio@redhat.com>
 <20230521234158.2769867-4-sbrivio@redhat.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature"; boundary="HKw1e0koe73iHZEf"
Content-Disposition: inline
In-Reply-To: <20230521234158.2769867-4-sbrivio@redhat.com>
Message-ID-Hash: GAXH4MX7VQAO4EG6VKWOUPZZ7ZM2FCSI
X-Message-ID-Hash: GAXH4MX7VQAO4EG6VKWOUPZZ7ZM2FCSI
X-MailFrom: dgibson@gandalf.ozlabs.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: passt-dev@passt.top
X-Mailman-Version: 3.3.8
Precedence: list
List-Id: Development discussion and patches for passt <passt-dev.passt.top>
Archived-At: <https://archives.passt.top/passt-dev/ZGsCHcJxbOaci3xD@yekko/>
Archived-At: <https://passt.top/hyperkitty/list/passt-dev@passt.top/message/GAXH4MX7VQAO4EG6VKWOUPZZ7ZM2FCSI/>
List-Archive: <https://archives.passt.top/passt-dev/>
List-Archive: <https://passt.top/hyperkitty/list/passt-dev@passt.top/>
List-Help: <mailto:passt-dev-request@passt.top?subject=help>
List-Owner: <mailto:passt-dev-owner@passt.top>
List-Post: <mailto:passt-dev@passt.top>
List-Subscribe: <mailto:passt-dev-join@passt.top>
List-Unsubscribe: <mailto:passt-dev-leave@passt.top>


--HKw1e0koe73iHZEf
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Mon, May 22, 2023 at 01:41:58AM +0200, Stefano Brivio wrote:
> If pasta spawns a child process while running as UID 0, which is only
> allowed from a non-init namespace, we need to keep CAP_SETFCAP before
> pasta_start_ns() is called: otherwise, starting from Linux 5.12, we
> won't be able to update /proc/self/uid_map with the intended mapping
> (from 0 to 0). See user_namespaces(7).
>=20
> Signed-off-by: Stefano Brivio <sbrivio@redhat.com>

Reviewed-by: David Gibson <david@gibson.dropbear.id.au>

> ---
>  isolation.c | 17 ++++++++++++++---
>  1 file changed, 14 insertions(+), 3 deletions(-)
>=20
> diff --git a/isolation.c b/isolation.c
> index 5f89047..19932bf 100644
> --- a/isolation.c
> +++ b/isolation.c
> @@ -177,6 +177,8 @@ static void clamp_caps(void)
>   */
>  void isolate_initial(void)
>  {
> +	uint64_t keep;
> +
>  	/* We want to keep CAP_NET_BIND_SERVICE in the initial
>  	 * namespace if we have it, so that we can forward low ports
>  	 * into the guest/namespace
> @@ -193,9 +195,18 @@ void isolate_initial(void)
>  	 * further capabilites in isolate_user() and
>  	 * isolate_prefork().
>  	 */
> -	drop_caps_ep_except(BIT(CAP_NET_BIND_SERVICE) |
> -			    BIT(CAP_SETUID) | BIT(CAP_SETGID) |
> -			    BIT(CAP_SYS_ADMIN) | BIT(CAP_NET_ADMIN));
> +	keep =3D BIT(CAP_NET_BIND_SERVICE) | BIT(CAP_SETUID) | BIT(CAP_SETGID) |
> +	       BIT(CAP_SYS_ADMIN) | BIT(CAP_NET_ADMIN);
> +
> +	/* Since Linux 5.12, if we want to update /proc/self/uid_map to create
> +	 * a mapping from UID 0, which only happens with pasta spawning a child
> +	 * from a non-init user namespace (pasta can't run as root), we need to
> +	 * retain CAP_SETFCAP too.
> +	 */
> +	if (!ns_is_init() && !geteuid())
> +		keep |=3D BIT(CAP_SETFCAP);
> +
> +	drop_caps_ep_except(keep);
>  }
> =20
>  /**

--=20
David Gibson			| I'll have my music baroque, and my code
david AT gibson.dropbear.id.au	| minimalist, thank you.  NOT _the_ _other_
				| _way_ _around_!
http://www.ozlabs.org/~dgibson

--HKw1e0koe73iHZEf
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEO+dNsU4E3yXUXRK2zQJF27ox2GcFAmRrAhYACgkQzQJF27ox
2GcRVA//eHkH5IqDE2qjbioO16cMt6bSM9brRIshWUvJNhuDiN3Fme4DeAHySRry
aJ9MOdXV91DVJi2JzI6CkBFmUrf+KlWfn7W1IRduJGOgXF7gBk++iPGAiBFOyidO
cvIwmP1t4r6kzKtJx1t+Hhrdy/6eDvLkHFUPMahHMzhmfrz144OaE6M7nwSpv3ng
ZP71xeS3NIHEDKUnOXfsY89Z9ZqfC04+tqwfejP6H3GhDV1nMWVkylj/YfOpqnno
G3tNwNVBrAaez2184e/jRAU7rfYo5aCCUhzcRt3Olgi27JY9TIWP2BtE0lOB+jpW
Uq2VF1qGSzzhhw94qunF31M26ayas6qDbCVeSI1RoZsnUIjJN5jV6B1dOf0uPb4T
duXW1mAFtozpZUyT6+OGbDSVCfz/mDQfWUuJur4H9tfMGqsuJAi9OotFB3rm8DUD
mHfY14GM2v44SO8drPgXB6AQ20Mt45LUxfkYYhYwpf1D9wT3l5WoUIaa1kvUNW6n
LGd4qD6iodJ7sf3wdvqpuw8spmGZtqfctUB2R1pw/nKd/s1rElpP+PZt87BGKxYn
S7jpxgsuGEUZ8yroP5RPGfFg78hBREWfC2gdSk8CHgqW0IaQnwD6qNArlYJ7q0pz
wgn6tVuXIS9nieb6QDWAfzCnT24tHkLmxzaoyrytc6ns/xQVlQg=
=U8Oi
-----END PGP SIGNATURE-----

--HKw1e0koe73iHZEf--