From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from gandalf.ozlabs.org (gandalf.ozlabs.org [150.107.74.76]) by passt.top (Postfix) with ESMTPS id 2DD6B5A027F for ; Mon, 22 May 2023 08:01:50 +0200 (CEST) Received: by gandalf.ozlabs.org (Postfix, from userid 1007) id 4QPmzt4Nn1z4x4L; Mon, 22 May 2023 16:01:46 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gibson.dropbear.id.au; s=201602; t=1684735306; bh=reo3LUaMU/pT0Hj/XXYQ6wIZW5GPpFf00aIX4gMpwmY=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=XjRINalvmDtN3aDWn+glbxj0NFYcYIKxLAYLXSra9GyoJ40bXwHq915eivMshytnG csbmfJCW2pLDyMF9CywnRuJ4i5Vvs4yXQXEQhXFjgp4R3q/96tDzaum1JKTEuhpRjd Q7BOkyRoI2AxsWr+z+Ka0vH6ywjBmbvHTwcpXjyg= Date: Mon, 22 May 2023 15:48:13 +1000 From: David Gibson To: Stefano Brivio Subject: Re: [PATCH 3/3] isolation: Initially Keep CAP_SETFCAP if running as UID 0 in non-init Message-ID: References: <20230521234158.2769867-1-sbrivio@redhat.com> <20230521234158.2769867-4-sbrivio@redhat.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="HKw1e0koe73iHZEf" Content-Disposition: inline In-Reply-To: <20230521234158.2769867-4-sbrivio@redhat.com> Message-ID-Hash: GAXH4MX7VQAO4EG6VKWOUPZZ7ZM2FCSI X-Message-ID-Hash: GAXH4MX7VQAO4EG6VKWOUPZZ7ZM2FCSI X-MailFrom: dgibson@gandalf.ozlabs.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: passt-dev@passt.top X-Mailman-Version: 3.3.8 Precedence: list List-Id: Development discussion and patches for passt Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: --HKw1e0koe73iHZEf Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, May 22, 2023 at 01:41:58AM +0200, Stefano Brivio wrote: > If pasta spawns a child process while running as UID 0, which is only > allowed from a non-init namespace, we need to keep CAP_SETFCAP before > pasta_start_ns() is called: otherwise, starting from Linux 5.12, we > won't be able to update /proc/self/uid_map with the intended mapping > (from 0 to 0). See user_namespaces(7). >=20 > Signed-off-by: Stefano Brivio Reviewed-by: David Gibson > --- > isolation.c | 17 ++++++++++++++--- > 1 file changed, 14 insertions(+), 3 deletions(-) >=20 > diff --git a/isolation.c b/isolation.c > index 5f89047..19932bf 100644 > --- a/isolation.c > +++ b/isolation.c > @@ -177,6 +177,8 @@ static void clamp_caps(void) > */ > void isolate_initial(void) > { > + uint64_t keep; > + > /* We want to keep CAP_NET_BIND_SERVICE in the initial > * namespace if we have it, so that we can forward low ports > * into the guest/namespace > @@ -193,9 +195,18 @@ void isolate_initial(void) > * further capabilites in isolate_user() and > * isolate_prefork(). > */ > - drop_caps_ep_except(BIT(CAP_NET_BIND_SERVICE) | > - BIT(CAP_SETUID) | BIT(CAP_SETGID) | > - BIT(CAP_SYS_ADMIN) | BIT(CAP_NET_ADMIN)); > + keep =3D BIT(CAP_NET_BIND_SERVICE) | BIT(CAP_SETUID) | BIT(CAP_SETGID) | > + BIT(CAP_SYS_ADMIN) | BIT(CAP_NET_ADMIN); > + > + /* Since Linux 5.12, if we want to update /proc/self/uid_map to create > + * a mapping from UID 0, which only happens with pasta spawning a child > + * from a non-init user namespace (pasta can't run as root), we need to > + * retain CAP_SETFCAP too. > + */ > + if (!ns_is_init() && !geteuid()) > + keep |=3D BIT(CAP_SETFCAP); > + > + drop_caps_ep_except(keep); > } > =20 > /** --=20 David Gibson | I'll have my music baroque, and my code david AT gibson.dropbear.id.au | minimalist, thank you. NOT _the_ _other_ | _way_ _around_! http://www.ozlabs.org/~dgibson --HKw1e0koe73iHZEf Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEO+dNsU4E3yXUXRK2zQJF27ox2GcFAmRrAhYACgkQzQJF27ox 2GcRVA//eHkH5IqDE2qjbioO16cMt6bSM9brRIshWUvJNhuDiN3Fme4DeAHySRry aJ9MOdXV91DVJi2JzI6CkBFmUrf+KlWfn7W1IRduJGOgXF7gBk++iPGAiBFOyidO cvIwmP1t4r6kzKtJx1t+Hhrdy/6eDvLkHFUPMahHMzhmfrz144OaE6M7nwSpv3ng ZP71xeS3NIHEDKUnOXfsY89Z9ZqfC04+tqwfejP6H3GhDV1nMWVkylj/YfOpqnno G3tNwNVBrAaez2184e/jRAU7rfYo5aCCUhzcRt3Olgi27JY9TIWP2BtE0lOB+jpW Uq2VF1qGSzzhhw94qunF31M26ayas6qDbCVeSI1RoZsnUIjJN5jV6B1dOf0uPb4T duXW1mAFtozpZUyT6+OGbDSVCfz/mDQfWUuJur4H9tfMGqsuJAi9OotFB3rm8DUD mHfY14GM2v44SO8drPgXB6AQ20Mt45LUxfkYYhYwpf1D9wT3l5WoUIaa1kvUNW6n LGd4qD6iodJ7sf3wdvqpuw8spmGZtqfctUB2R1pw/nKd/s1rElpP+PZt87BGKxYn S7jpxgsuGEUZ8yroP5RPGfFg78hBREWfC2gdSk8CHgqW0IaQnwD6qNArlYJ7q0pz wgn6tVuXIS9nieb6QDWAfzCnT24tHkLmxzaoyrytc6ns/xQVlQg= =U8Oi -----END PGP SIGNATURE----- --HKw1e0koe73iHZEf--