[lxc-devel] [lxc/master] capability fixes
brauner on Github
lxc-bot at linuxcontainers.org
Mon Jan 4 10:24:41 UTC 2021
A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 364 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20210104/3998739f/attachment.bin>
-------------- next part --------------
From 24b77f47ad4cc791f6be0221b53cc791951a0ee5 Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner at ubuntu.com>
Date: Mon, 4 Jan 2021 10:45:44 +0100
Subject: [PATCH 1/6] macro: use ascending order for capabilities
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
---
src/lxc/macro.h | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)
diff --git a/src/lxc/macro.h b/src/lxc/macro.h
index 3dff019416..7a8e15f384 100644
--- a/src/lxc/macro.h
+++ b/src/lxc/macro.h
@@ -37,6 +37,14 @@
#endif
/* capabilities */
+#ifndef CAP_SETGID
+#define CAP_SETGID 6
+#endif
+
+#ifndef CAP_SETUID
+#define CAP_SETUID 7
+#endif
+
#ifndef CAP_SYS_ADMIN
#define CAP_SYS_ADMIN 21
#endif
@@ -53,14 +61,6 @@
#define CAP_MAC_ADMIN 33
#endif
-#ifndef CAP_SETUID
-#define CAP_SETUID 7
-#endif
-
-#ifndef CAP_SETGID
-#define CAP_SETGID 6
-#endif
-
/* prctl */
#ifndef PR_CAPBSET_READ
#define PR_CAPBSET_READ 23
From f2da98c04597cc55c84da67fca6ae54ee68e119d Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner at ubuntu.com>
Date: Mon, 4 Jan 2021 10:50:07 +0100
Subject: [PATCH 2/6] conf: define missing capabilities
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
---
src/lxc/conf.c | 12 ------------
src/lxc/macro.h | 24 ++++++++++++++++++++++++
2 files changed, 24 insertions(+), 12 deletions(-)
diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index d5c069553a..bc0d01463c 100644
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -210,28 +210,16 @@ static struct caps_opt caps_opt[] = {
{ "sys_tty_config", CAP_SYS_TTY_CONFIG },
{ "mknod", CAP_MKNOD },
{ "lease", CAP_LEASE },
-#ifdef CAP_AUDIT_READ
{ "audit_read", CAP_AUDIT_READ },
-#endif
-#ifdef CAP_AUDIT_WRITE
{ "audit_write", CAP_AUDIT_WRITE },
-#endif
-#ifdef CAP_AUDIT_CONTROL
{ "audit_control", CAP_AUDIT_CONTROL },
-#endif
{ "setfcap", CAP_SETFCAP },
{ "mac_override", CAP_MAC_OVERRIDE },
{ "mac_admin", CAP_MAC_ADMIN },
-#ifdef CAP_SYSLOG
{ "syslog", CAP_SYSLOG },
-#endif
-#ifdef CAP_WAKE_ALARM
{ "wake_alarm", CAP_WAKE_ALARM },
-#endif
-#ifdef CAP_BLOCK_SUSPEND
{ "block_suspend", CAP_BLOCK_SUSPEND },
#endif
-#endif
};
static struct limit_opt limit_opt[] = {
diff --git a/src/lxc/macro.h b/src/lxc/macro.h
index 7a8e15f384..4882b1781e 100644
--- a/src/lxc/macro.h
+++ b/src/lxc/macro.h
@@ -49,6 +49,14 @@
#define CAP_SYS_ADMIN 21
#endif
+#ifndef CAP_AUDIT_WRITE
+#define CAP_AUDIT_WRITE 29
+#endif
+
+#ifndef CAP_AUDIT_CONTROL
+#define CAP_AUDIT_CONTROL 30
+#endif
+
#ifndef CAP_SETFCAP
#define CAP_SETFCAP 31
#endif
@@ -61,6 +69,22 @@
#define CAP_MAC_ADMIN 33
#endif
+#ifndef CAP_SYSLOG
+#define CAP_SYSLOG 34
+#endif
+
+#ifndef CAP_WAKE_ALARM
+#define CAP_WAKE_ALARM 35
+#endif
+
+#ifndef CAP_BLOCK_SUSPEND
+#define CAP_BLOCK_SUSPEND 36
+#endif
+
+#ifndef CAP_AUDIT_READ
+#define CAP_AUDIT_READ 37
+#endif
+
/* prctl */
#ifndef PR_CAPBSET_READ
#define PR_CAPBSET_READ 23
From 7b4cd4681da399acc1775773d7967a3c94635346 Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner at ubuntu.com>
Date: Mon, 4 Jan 2021 10:53:19 +0100
Subject: [PATCH 3/6] conf: add new capabilities
CAP_{BLOCK_SUSPEND,PERFMON,BPF,CAP_CHECKPOINT_RESTORE}
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
---
src/lxc/conf.c | 79 +++++++++++++++++++++++++------------------------
src/lxc/macro.h | 12 ++++++++
2 files changed, 53 insertions(+), 38 deletions(-)
diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index bc0d01463c..30870aa5b3 100644
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -181,44 +181,47 @@ static struct mount_opt propagation_opt[] = {
static struct caps_opt caps_opt[] = {
#if HAVE_LIBCAP
- { "chown", CAP_CHOWN },
- { "dac_override", CAP_DAC_OVERRIDE },
- { "dac_read_search", CAP_DAC_READ_SEARCH },
- { "fowner", CAP_FOWNER },
- { "fsetid", CAP_FSETID },
- { "kill", CAP_KILL },
- { "setgid", CAP_SETGID },
- { "setuid", CAP_SETUID },
- { "setpcap", CAP_SETPCAP },
- { "linux_immutable", CAP_LINUX_IMMUTABLE },
- { "net_bind_service", CAP_NET_BIND_SERVICE },
- { "net_broadcast", CAP_NET_BROADCAST },
- { "net_admin", CAP_NET_ADMIN },
- { "net_raw", CAP_NET_RAW },
- { "ipc_lock", CAP_IPC_LOCK },
- { "ipc_owner", CAP_IPC_OWNER },
- { "sys_module", CAP_SYS_MODULE },
- { "sys_rawio", CAP_SYS_RAWIO },
- { "sys_chroot", CAP_SYS_CHROOT },
- { "sys_ptrace", CAP_SYS_PTRACE },
- { "sys_pacct", CAP_SYS_PACCT },
- { "sys_admin", CAP_SYS_ADMIN },
- { "sys_boot", CAP_SYS_BOOT },
- { "sys_nice", CAP_SYS_NICE },
- { "sys_resource", CAP_SYS_RESOURCE },
- { "sys_time", CAP_SYS_TIME },
- { "sys_tty_config", CAP_SYS_TTY_CONFIG },
- { "mknod", CAP_MKNOD },
- { "lease", CAP_LEASE },
- { "audit_read", CAP_AUDIT_READ },
- { "audit_write", CAP_AUDIT_WRITE },
- { "audit_control", CAP_AUDIT_CONTROL },
- { "setfcap", CAP_SETFCAP },
- { "mac_override", CAP_MAC_OVERRIDE },
- { "mac_admin", CAP_MAC_ADMIN },
- { "syslog", CAP_SYSLOG },
- { "wake_alarm", CAP_WAKE_ALARM },
- { "block_suspend", CAP_BLOCK_SUSPEND },
+ { "chown", CAP_CHOWN },
+ { "dac_override", CAP_DAC_OVERRIDE },
+ { "dac_read_search", CAP_DAC_READ_SEARCH },
+ { "fowner", CAP_FOWNER },
+ { "fsetid", CAP_FSETID },
+ { "kill", CAP_KILL },
+ { "setgid", CAP_SETGID },
+ { "setuid", CAP_SETUID },
+ { "setpcap", CAP_SETPCAP },
+ { "linux_immutable", CAP_LINUX_IMMUTABLE },
+ { "net_bind_service", CAP_NET_BIND_SERVICE },
+ { "net_broadcast", CAP_NET_BROADCAST },
+ { "net_admin", CAP_NET_ADMIN },
+ { "net_raw", CAP_NET_RAW },
+ { "ipc_lock", CAP_IPC_LOCK },
+ { "ipc_owner", CAP_IPC_OWNER },
+ { "sys_module", CAP_SYS_MODULE },
+ { "sys_rawio", CAP_SYS_RAWIO },
+ { "sys_chroot", CAP_SYS_CHROOT },
+ { "sys_ptrace", CAP_SYS_PTRACE },
+ { "sys_pacct", CAP_SYS_PACCT },
+ { "sys_admin", CAP_SYS_ADMIN },
+ { "sys_boot", CAP_SYS_BOOT },
+ { "sys_nice", CAP_SYS_NICE },
+ { "sys_resource", CAP_SYS_RESOURCE },
+ { "sys_time", CAP_SYS_TIME },
+ { "sys_tty_config", CAP_SYS_TTY_CONFIG },
+ { "mknod", CAP_MKNOD },
+ { "lease", CAP_LEASE },
+ { "audit_write", CAP_AUDIT_WRITE },
+ { "audit_control", CAP_AUDIT_CONTROL },
+ { "setfcap", CAP_SETFCAP },
+ { "mac_override", CAP_MAC_OVERRIDE },
+ { "mac_admin", CAP_MAC_ADMIN },
+ { "syslog", CAP_SYSLOG },
+ { "wake_alarm", CAP_WAKE_ALARM },
+ { "block_suspend", CAP_BLOCK_SUSPEND },
+ { "audit_read", CAP_AUDIT_READ },
+ { "perfmon", CAP_PERFMON },
+ { "bpf", CAP_BPF },
+ { "checkpoint_restore", CAP_CHECKPOINT_RESTORE },
#endif
};
diff --git a/src/lxc/macro.h b/src/lxc/macro.h
index 4882b1781e..24d80fe16e 100644
--- a/src/lxc/macro.h
+++ b/src/lxc/macro.h
@@ -85,6 +85,18 @@
#define CAP_AUDIT_READ 37
#endif
+#ifndef CAP_PERFMON
+#define CAP_PERFMON 38
+#endif
+
+#ifndef CAP_BPF
+#define CAP_BPF 39
+#endif
+
+#ifndef CAP_CHECKPOINT_RESTORE
+#define CAP_CHECKPOINT_RESTORE 40
+#endif
+
/* prctl */
#ifndef PR_CAPBSET_READ
#define PR_CAPBSET_READ 23
From fa934e3e24bd08ab1b49f5bd3aeff0406eff12f0 Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner at ubuntu.com>
Date: Mon, 4 Jan 2021 11:15:34 +0100
Subject: [PATCH 4/6] macro: define all capabilities
Fixes: #3612
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
---
src/lxc/macro.h | 134 ++++++++++++++++++++++++++++++++++++++++++------
1 file changed, 119 insertions(+), 15 deletions(-)
diff --git a/src/lxc/macro.h b/src/lxc/macro.h
index 24d80fe16e..092782aab8 100644
--- a/src/lxc/macro.h
+++ b/src/lxc/macro.h
@@ -37,64 +37,168 @@
#endif
/* capabilities */
+#ifndef CAP_CHOWN
+#define CAP_CHOWN 0
+#endif
+
+#ifndef CAP_DAC_OVERRIDE
+#define CAP_DAC_OVERRIDE 1
+#endif
+
+#ifndef CAP_DAC_READ_SEARCH
+#define CAP_DAC_READ_SEARCH 2
+#endif
+
+#ifndef CAP_FOWNER
+#define CAP_FOWNER 3
+#endif
+
+#ifndef CAP_FSETID
+#define CAP_FSETID 4
+#endif
+
+#ifndef CAP_KILL
+#define CAP_KILL 5
+#endif
+
#ifndef CAP_SETGID
-#define CAP_SETGID 6
+#define CAP_SETGID 6
#endif
#ifndef CAP_SETUID
-#define CAP_SETUID 7
+#define CAP_SETUID 7
+#endif
+
+#ifndef CAP_SETPCAP
+#define CAP_SETPCAP 8
+#endif
+
+#ifndef CAP_LINUX_IMMUTABLE
+#define CAP_LINUX_IMMUTABLE 9
+#endif
+
+#ifndef CAP_NET_BIND_SERVICE
+#define CAP_NET_BIND_SERVICE 10
+#endif
+
+#ifndef CAP_NET_BROADCAST
+#define CAP_NET_BROADCAST 11
+#endif
+
+#ifndef CAP_NET_ADMIN
+#define CAP_NET_ADMIN 12
+#endif
+
+#ifndef CAP_NET_RAW
+#define CAP_NET_RAW 13
+#endif
+
+#ifndef CAP_IPC_LOCK
+#define CAP_IPC_LOCK 14
+#endif
+
+#ifndef CAP_IPC_OWNER
+#define CAP_IPC_OWNER 15
+#endif
+
+#ifndef CAP_SYS_MODULE
+#define CAP_SYS_MODULE 16
+#endif
+
+#ifndef CAP_SYS_RAWIO
+#define CAP_SYS_RAWIO 17
+#endif
+
+#ifndef CAP_SYS_CHROOT
+#define CAP_SYS_CHROOT 18
+#endif
+
+#ifndef CAP_SYS_PTRACE
+#define CAP_SYS_PTRACE 19
+#endif
+
+#ifndef CAP_SYS_PACCT
+#define CAP_SYS_PACCT 20
#endif
#ifndef CAP_SYS_ADMIN
-#define CAP_SYS_ADMIN 21
+#define CAP_SYS_ADMIN 21
+#endif
+
+#ifndef CAP_SYS_BOOT
+#define CAP_SYS_BOOT 22
+#endif
+
+#ifndef CAP_SYS_NICE
+#define CAP_SYS_NICE 23
+#endif
+
+#ifndef CAP_SYS_RESOURCE
+#define CAP_SYS_RESOURCE 24
+#endif
+
+#ifndef CAP_SYS_TIME
+#define CAP_SYS_TIME 25
+#endif
+
+#ifndef CAP_SYS_TTY_CONFIG
+#define CAP_SYS_TTY_CONFIG 26
+#endif
+
+#ifndef CAP_MKNOD
+#define CAP_MKNOD 27
+#endif
+
+#ifndef CAP_LEASE
+#define CAP_LEASE 28
#endif
#ifndef CAP_AUDIT_WRITE
-#define CAP_AUDIT_WRITE 29
+#define CAP_AUDIT_WRITE 29
#endif
#ifndef CAP_AUDIT_CONTROL
-#define CAP_AUDIT_CONTROL 30
+#define CAP_AUDIT_CONTROL 30
#endif
#ifndef CAP_SETFCAP
-#define CAP_SETFCAP 31
+#define CAP_SETFCAP 31
#endif
#ifndef CAP_MAC_OVERRIDE
-#define CAP_MAC_OVERRIDE 32
+#define CAP_MAC_OVERRIDE 32
#endif
#ifndef CAP_MAC_ADMIN
-#define CAP_MAC_ADMIN 33
+#define CAP_MAC_ADMIN 33
#endif
#ifndef CAP_SYSLOG
-#define CAP_SYSLOG 34
+#define CAP_SYSLOG 34
#endif
#ifndef CAP_WAKE_ALARM
-#define CAP_WAKE_ALARM 35
+#define CAP_WAKE_ALARM 35
#endif
#ifndef CAP_BLOCK_SUSPEND
-#define CAP_BLOCK_SUSPEND 36
+#define CAP_BLOCK_SUSPEND 36
#endif
#ifndef CAP_AUDIT_READ
-#define CAP_AUDIT_READ 37
+#define CAP_AUDIT_READ 37
#endif
#ifndef CAP_PERFMON
-#define CAP_PERFMON 38
+#define CAP_PERFMON 38
#endif
#ifndef CAP_BPF
-#define CAP_BPF 39
+#define CAP_BPF 39
#endif
#ifndef CAP_CHECKPOINT_RESTORE
-#define CAP_CHECKPOINT_RESTORE 40
+#define CAP_CHECKPOINT_RESTORE 40
#endif
/* prctl */
From 309ae2876fe9f58a8db21c5218b859cfc441e597 Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner at ubuntu.com>
Date: Mon, 4 Jan 2021 11:06:02 +0100
Subject: [PATCH 5/6] conf: add lxc_wants_cap() helper
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
---
src/lxc/cgroups/cgfsng.c | 5 +----
src/lxc/conf.h | 9 +++++++++
2 files changed, 10 insertions(+), 4 deletions(-)
diff --git a/src/lxc/cgroups/cgfsng.c b/src/lxc/cgroups/cgfsng.c
index 0078b3c858..bf181987f1 100644
--- a/src/lxc/cgroups/cgfsng.c
+++ b/src/lxc/cgroups/cgfsng.c
@@ -1832,10 +1832,7 @@ __cgfsng_ops static bool cgfsng_mount(struct cgroup_ops *ops,
}
if (!wants_force_mount) {
- if (!lxc_list_empty(&handler->conf->keepcaps))
- wants_force_mount = !in_caplist(CAP_SYS_ADMIN, &handler->conf->keepcaps);
- else
- wants_force_mount = in_caplist(CAP_SYS_ADMIN, &handler->conf->caps);
+ wants_force_mount = lxc_wants_cap(CAP_SYS_ADMIN, handler->conf);
/*
* Most recent distro versions currently have init system that
diff --git a/src/lxc/conf.h b/src/lxc/conf.h
index 84b0f81b0f..5a501b442a 100644
--- a/src/lxc/conf.h
+++ b/src/lxc/conf.h
@@ -514,6 +514,15 @@ __hidden extern int run_script(const char *name, const char *section, const char
__hidden extern int run_script_argv(const char *name, unsigned int hook_version, const char *section,
const char *script, const char *hookname, char **argsin);
__hidden extern int in_caplist(int cap, struct lxc_list *caps);
+
+static inline int lxc_wants_cap(int cap, struct lxc_conf *conf)
+{
+ if (!lxc_list_empty(&conf->keepcaps))
+ return !in_caplist(cap, &conf->keepcaps);
+
+ return in_caplist(cap, &conf->caps);
+}
+
__hidden extern int setup_sysctl_parameters(struct lxc_list *sysctls);
__hidden extern int lxc_clear_sysctls(struct lxc_conf *c, const char *key);
__hidden extern int setup_proc_filesystem(struct lxc_list *procs, pid_t pid);
From d84b26bc8b531c8a8491b6c2061146d958acb63a Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner at ubuntu.com>
Date: Mon, 4 Jan 2021 11:21:53 +0100
Subject: [PATCH 6/6] conf: fix CAP_NET_ADMIN-based mount handling
Fixes: e8b9c9ec6fb9 ("unmounted proc/sys/net if dropping CAP_NET_ADMIN")
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
---
src/lxc/conf.c | 4 ++--
src/lxc/conf.h | 6 +++++-
2 files changed, 7 insertions(+), 3 deletions(-)
diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index 30870aa5b3..3ddd30bf20 100644
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -640,8 +640,8 @@ static int lxc_mount_auto_mounts(struct lxc_conf *conf, int flags, struct lxc_ha
{ 0, 0, NULL, NULL, NULL, 0, NULL, 0 }
};
- bool has_cap_net_admin = in_caplist(CAP_NET_ADMIN, &conf->caps);
- for (i = 0; default_mounts[i].match_mask; i++) {
+ bool has_cap_net_admin = lxc_wants_cap(CAP_NET_ADMIN, conf);
+ for (i = 0; default_mounts[i].match_mask; i++) {
__do_free char *destination = NULL, *source = NULL;
int saved_errno;
unsigned long mflags;
diff --git a/src/lxc/conf.h b/src/lxc/conf.h
index 5a501b442a..46bab5b303 100644
--- a/src/lxc/conf.h
+++ b/src/lxc/conf.h
@@ -15,6 +15,7 @@
#include <sys/types.h>
#include <sys/vfs.h>
+#include "caps.h"
#include "compiler.h"
#include "config.h"
#include "list.h"
@@ -515,8 +516,11 @@ __hidden extern int run_script_argv(const char *name, unsigned int hook_version,
const char *script, const char *hookname, char **argsin);
__hidden extern int in_caplist(int cap, struct lxc_list *caps);
-static inline int lxc_wants_cap(int cap, struct lxc_conf *conf)
+static inline bool lxc_wants_cap(int cap, struct lxc_conf *conf)
{
+ if (lxc_caps_last_cap() < cap)
+ return false;
+
if (!lxc_list_empty(&conf->keepcaps))
return !in_caplist(cap, &conf->keepcaps);
More information about the lxc-devel
mailing list