[lxc-devel] [PATCH] lxc-attach: elevate specific privileges
Serge Hallyn
serge.hallyn at ubuntu.com
Tue Nov 19 21:48:36 UTC 2013
Quoting Nikola Kotur (kotnick at gmail.com):
> There are scenarios in which we want to execute process with specific
> privileges elevated.
>
> An example for this might be executing a process inside the container
> securely, with capabilities dropped, but not in container's cgroup so
> that we can have per process restrictions inside single container.
>
> Similar to namespaces, privileges to be elevated can be OR'd:
>
> lxc-attach --elevated-privileges='CAP|CGROUP' ...
>
> Backward compatibility with previous versions is retained. In case no
> privileges are specified behaviour is the same as before: all of them
> are elevated.
Hi,
thanks for submitting this patch. No objection overall, however
there are a few existing places where elevated_privileges is set to 1
which you are not updating. I also notice that currently it seems
broken as the manpage says that -R should imply -e, but i don't
see where that is enforced any more.
(Lastly, please do add a signed-off-by)
> ---
> doc/lxc-attach.sgml.in | 13 ++++++++++++-
> src/lxc/confile.c | 37 +++++++++++++++++++++++++++++++++++++
> src/lxc/confile.h | 2 ++
> src/lxc/lxc_attach.c | 26 +++++++++++++++++---------
> 4 files changed, 68 insertions(+), 10 deletions(-)
>
> diff --git a/doc/lxc-attach.sgml.in b/doc/lxc-attach.sgml.in
> index 8d75c7c..133e8fd 100644
> --- a/doc/lxc-attach.sgml.in
> +++ b/doc/lxc-attach.sgml.in
> @@ -23,6 +23,7 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
>
> -->
>
> +
> <!DOCTYPE refentry PUBLIC @docdtd@ [
>
> <!ENTITY commonoptions SYSTEM "@builddir@/common_options.sgml">
> @@ -107,7 +108,9 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
>
> <varlistentry>
> <term>
> - <option>-e, --elevated-privileges</option>
> + <option>
> + -e, --elevated-privileges <replaceable>privileges</replaceable>
> + </option>
> </term>
> <listitem>
> <para>
> @@ -117,6 +120,14 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
> <emphasis>not</emphasis> be added to the container's cgroup(s)
> and it will not drop its capabilities before executing.
> </para>
> + <para>
> + You may specify privileges, in case you do not want to elevate all of
> + them, as a pipe-separated list, e.g.
> + <replaceable>CGROUP|LSM</replaceable>. Allowed values are
> + <replaceable>CGROUP</replaceable>, <replaceable>CAP</replaceable> and
> + <replaceable>LSM</replaceable> representing cgroup, capabilities and
> + restriction privileges respectively.
> + </para>
> <para>
> <emphasis>Warning:</emphasis> This may leak privileges into the
> container if the command starts subprocesses that remain active
> diff --git a/src/lxc/confile.c b/src/lxc/confile.c
> index 0e0b7e8..fdfa418 100644
> --- a/src/lxc/confile.c
> +++ b/src/lxc/confile.c
> @@ -1568,6 +1568,43 @@ signed long lxc_config_parse_arch(const char *arch)
> return -1;
> }
>
> +int lxc_fill_elevated_privileges(char *flaglist, int *flags)
> +{
> + char *token, *saveptr = NULL;
> + int i, aflag;
> + struct { const char *token; int flag; } all_privs[] = {
> + { "CGROUP", LXC_ATTACH_MOVE_TO_CGROUP },
> + { "CAP", LXC_ATTACH_DROP_CAPABILITIES },
> + { "LSM", LXC_ATTACH_LSM_EXEC },
> + { NULL, 0 }
> + };
> +
> + if (!flaglist) {
> + /* for the sake of backward compatibility, drop all privileges
> + if none is specified */
> + for (i = 0; all_privs[i].token; i++) {
> + *flags |= all_privs[i].flag;
> + }
> + return 0;
> + }
> +
> + token = strtok_r(flaglist, "|", &saveptr);
> + while (token) {
> + aflag = -1;
> + for (i = 0; all_privs[i].token; i++) {
> + if (!strcmp(all_privs[i].token, token))
> + aflag = all_privs[i].flag;
> + }
> + if (aflag < 0)
> + return -1;
> +
> + *flags |= aflag;
> +
> + token = strtok_r(NULL, "|", &saveptr);
> + }
> + return 0;
> +}
> +
> static int lxc_get_conf_int(struct lxc_conf *c, char *retv, int inlen, int v)
> {
> if (!retv)
> diff --git a/src/lxc/confile.h b/src/lxc/confile.h
> index 9d12071..eb7a8c2 100644
> --- a/src/lxc/confile.h
> +++ b/src/lxc/confile.h
> @@ -22,6 +22,7 @@
> */
>
> #include <stdio.h>
> +#include "attach_options.h"
>
> #ifndef _confile_h
> #define _confile_h
> @@ -47,6 +48,7 @@ extern int lxc_config_define_load(struct lxc_list *defines,
>
> /* needed for lxc-attach */
> extern signed long lxc_config_parse_arch(const char *arch);
> +extern int lxc_fill_elevated_privileges(char *flaglist, int *flags);
>
> extern int lxc_get_config_item(struct lxc_conf *c, const char *key, char *retv, int inlen);
> extern int lxc_clear_config_item(struct lxc_conf *c, const char *key);
> diff --git a/src/lxc/lxc_attach.c b/src/lxc/lxc_attach.c
> index b49771b..5457d93 100644
> --- a/src/lxc/lxc_attach.c
> +++ b/src/lxc/lxc_attach.c
> @@ -38,7 +38,7 @@
> lxc_log_define(lxc_attach_ui, lxc);
>
> static const struct option my_longopts[] = {
> - {"elevated-privileges", no_argument, 0, 'e'},
> + {"elevated-privileges", optional_argument, 0, 'e'},
> {"arch", required_argument, 0, 'a'},
> {"namespaces", required_argument, 0, 's'},
> {"remount-sys-proc", no_argument, 0, 'R'},
> @@ -87,7 +87,11 @@ static int my_parser(struct lxc_arguments* args, int c, char* arg)
> int ret;
>
> switch (c) {
> - case 'e': elevated_privileges = 1; break;
> + case 'e':
> + ret = lxc_fill_elevated_privileges(arg, &elevated_privileges);
> + if (ret)
> + return -1;
> + break;
> case 'R': remount_sys_proc = 1; break;
> case 'a':
> new_personality = lxc_config_parse_arch(arg);
> @@ -138,9 +142,12 @@ Execute the specified COMMAND - enter the container NAME\n\
> \n\
> Options :\n\
> -n, --name=NAME NAME for name of the container\n\
> - -e, --elevated-privileges\n\
> - Use elevated privileges (capabilities, cgroup\n\
> - restrictions) instead of those of the container.\n\
> + -e, --elevated-privileges=PRIVILEGES\n\
> + Use elevated privileges instead of those of the\n\
> + container. If you don't specify privileges to be\n\
> + elevated as OR'd list: CAP, CGROUP and LSM (capabilities,\n\
> + cgroup and restrictions, respectively) then all of them\n\
> + will be elevated.\n\
> WARNING: This may leak privileges into the container.\n\
> Use with care.\n\
> -a, --arch=ARCH Use ARCH for program instead of container's own\n\
> @@ -148,9 +155,10 @@ Options :\n\
> -s, --namespaces=FLAGS\n\
> Don't attach to all the namespaces of the container\n\
> but just to the following OR'd list of flags:\n\
> - MOUNT, PID, UTSNAME, IPC, USER or NETWORK\n\
> - WARNING: Using -s implies -e, it may therefore\n\
> - leak privileges into the container. Use with care.\n\
> + MOUNT, PID, UTSNAME, IPC, USER or NETWORK.\n\
> + WARNING: Using -s implies -e with all privileges\n\
> + elevated, it may therefore leak privileges into the\n\
> + container. Use with care.\n\
> -R, --remount-sys-proc\n\
> Remount /sys and /proc if not attaching to the\n\
> mount namespace when using -s in order to properly\n\
> @@ -199,7 +207,7 @@ int main(int argc, char *argv[])
> if (remount_sys_proc)
> attach_options.attach_flags |= LXC_ATTACH_REMOUNT_PROC_SYS;
> if (elevated_privileges)
> - attach_options.attach_flags &= ~(LXC_ATTACH_MOVE_TO_CGROUP | LXC_ATTACH_DROP_CAPABILITIES | LXC_ATTACH_LSM_EXEC);
> + attach_options.attach_flags &= ~(elevated_privileges);
> attach_options.namespaces = namespace_flags;
> attach_options.personality = new_personality;
> attach_options.env_policy = env_policy;
> --
> 1.8.4.2
>
>
> ------------------------------------------------------------------------------
> Shape the Mobile Experience: Free Subscription
> Software experts and developers: Be at the forefront of tech innovation.
> Intel(R) Software Adrenaline delivers strategic insight and game-changing
> conversations that shape the rapidly evolving mobile landscape. Sign up now.
> http://pubads.g.doubleclick.net/gampad/clk?id=63431311&iu=/4140/ostg.clktrk
> _______________________________________________
> Lxc-devel mailing list
> Lxc-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/lxc-devel
More information about the lxc-devel
mailing list