[lxc-devel] [lxc/master] capability fixes

[brauner on Github]

A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 364 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20210104/3998739f/attachment.bin>
-------------- next part --------------
From 24b77f47ad4cc791f6be0221b53cc791951a0ee5 Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner at ubuntu.com>
Date: Mon, 4 Jan 2021 10:45:44 +0100
Subject: [PATCH 1/6] macro: use ascending order for capabilities

Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
---
 src/lxc/macro.h | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/src/lxc/macro.h b/src/lxc/macro.h
index 3dff019416..7a8e15f384 100644
--- a/src/lxc/macro.h
+++ b/src/lxc/macro.h
@@ -37,6 +37,14 @@
 #endif
 
 /* capabilities */
+#ifndef CAP_SETGID
+#define CAP_SETGID 6
+#endif
+
+#ifndef CAP_SETUID
+#define CAP_SETUID 7
+#endif
+
 #ifndef CAP_SYS_ADMIN
 #define CAP_SYS_ADMIN 21
 #endif
@@ -53,14 +61,6 @@
 #define CAP_MAC_ADMIN 33
 #endif
 
-#ifndef CAP_SETUID
-#define CAP_SETUID 7
-#endif
-
-#ifndef CAP_SETGID
-#define CAP_SETGID 6
-#endif
-
 /* prctl */
 #ifndef PR_CAPBSET_READ
 #define PR_CAPBSET_READ 23

From f2da98c04597cc55c84da67fca6ae54ee68e119d Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner at ubuntu.com>
Date: Mon, 4 Jan 2021 10:50:07 +0100
Subject: [PATCH 2/6] conf: define missing capabilities

Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
---
 src/lxc/conf.c  | 12 ------------
 src/lxc/macro.h | 24 ++++++++++++++++++++++++
 2 files changed, 24 insertions(+), 12 deletions(-)

diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index d5c069553a..bc0d01463c 100644
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -210,28 +210,16 @@ static struct caps_opt caps_opt[] = {
 	{ "sys_tty_config",   CAP_SYS_TTY_CONFIG   },
 	{ "mknod",            CAP_MKNOD            },
 	{ "lease",            CAP_LEASE            },
-#ifdef CAP_AUDIT_READ
 	{ "audit_read",       CAP_AUDIT_READ       },
-#endif
-#ifdef CAP_AUDIT_WRITE
 	{ "audit_write",      CAP_AUDIT_WRITE      },
-#endif
-#ifdef CAP_AUDIT_CONTROL
 	{ "audit_control",    CAP_AUDIT_CONTROL    },
-#endif
 	{ "setfcap",          CAP_SETFCAP          },
 	{ "mac_override",     CAP_MAC_OVERRIDE     },
 	{ "mac_admin",        CAP_MAC_ADMIN        },
-#ifdef CAP_SYSLOG
 	{ "syslog",           CAP_SYSLOG           },
-#endif
-#ifdef CAP_WAKE_ALARM
 	{ "wake_alarm",       CAP_WAKE_ALARM       },
-#endif
-#ifdef CAP_BLOCK_SUSPEND
 	{ "block_suspend",    CAP_BLOCK_SUSPEND    },
 #endif
-#endif
 };
 
 static struct limit_opt limit_opt[] = {
diff --git a/src/lxc/macro.h b/src/lxc/macro.h
index 7a8e15f384..4882b1781e 100644
--- a/src/lxc/macro.h
+++ b/src/lxc/macro.h
@@ -49,6 +49,14 @@
 #define CAP_SYS_ADMIN 21
 #endif
 
+#ifndef CAP_AUDIT_WRITE
+#define CAP_AUDIT_WRITE 29
+#endif
+
+#ifndef CAP_AUDIT_CONTROL
+#define CAP_AUDIT_CONTROL 30
+#endif
+
 #ifndef CAP_SETFCAP
 #define CAP_SETFCAP 31
 #endif
@@ -61,6 +69,22 @@
 #define CAP_MAC_ADMIN 33
 #endif
 
+#ifndef CAP_SYSLOG
+#define CAP_SYSLOG 34
+#endif
+
+#ifndef CAP_WAKE_ALARM
+#define CAP_WAKE_ALARM 35
+#endif
+
+#ifndef CAP_BLOCK_SUSPEND
+#define CAP_BLOCK_SUSPEND 36
+#endif
+
+#ifndef CAP_AUDIT_READ
+#define CAP_AUDIT_READ 37
+#endif
+
 /* prctl */
 #ifndef PR_CAPBSET_READ
 #define PR_CAPBSET_READ 23

From 7b4cd4681da399acc1775773d7967a3c94635346 Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner at ubuntu.com>
Date: Mon, 4 Jan 2021 10:53:19 +0100
Subject: [PATCH 3/6] conf: add new capabilities
 CAP_{BLOCK_SUSPEND,PERFMON,BPF,CAP_CHECKPOINT_RESTORE}

Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
---
 src/lxc/conf.c  | 79 +++++++++++++++++++++++++------------------------
 src/lxc/macro.h | 12 ++++++++
 2 files changed, 53 insertions(+), 38 deletions(-)

diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index bc0d01463c..30870aa5b3 100644
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -181,44 +181,47 @@ static struct mount_opt propagation_opt[] = {
 
 static struct caps_opt caps_opt[] = {
 #if HAVE_LIBCAP
-	{ "chown",            CAP_CHOWN            },
-	{ "dac_override",     CAP_DAC_OVERRIDE     },
-	{ "dac_read_search",  CAP_DAC_READ_SEARCH  },
-	{ "fowner",           CAP_FOWNER           },
-	{ "fsetid",           CAP_FSETID           },
-	{ "kill",             CAP_KILL             },
-	{ "setgid",           CAP_SETGID           },
-	{ "setuid",           CAP_SETUID           },
-	{ "setpcap",          CAP_SETPCAP          },
-	{ "linux_immutable",  CAP_LINUX_IMMUTABLE  },
-	{ "net_bind_service", CAP_NET_BIND_SERVICE },
-	{ "net_broadcast",    CAP_NET_BROADCAST    },
-	{ "net_admin",        CAP_NET_ADMIN        },
-	{ "net_raw",          CAP_NET_RAW          },
-	{ "ipc_lock",         CAP_IPC_LOCK         },
-	{ "ipc_owner",        CAP_IPC_OWNER        },
-	{ "sys_module",       CAP_SYS_MODULE       },
-	{ "sys_rawio",        CAP_SYS_RAWIO        },
-	{ "sys_chroot",       CAP_SYS_CHROOT       },
-	{ "sys_ptrace",       CAP_SYS_PTRACE       },
-	{ "sys_pacct",        CAP_SYS_PACCT        },
-	{ "sys_admin",        CAP_SYS_ADMIN        },
-	{ "sys_boot",         CAP_SYS_BOOT         },
-	{ "sys_nice",         CAP_SYS_NICE         },
-	{ "sys_resource",     CAP_SYS_RESOURCE     },
-	{ "sys_time",         CAP_SYS_TIME         },
-	{ "sys_tty_config",   CAP_SYS_TTY_CONFIG   },
-	{ "mknod",            CAP_MKNOD            },
-	{ "lease",            CAP_LEASE            },
-	{ "audit_read",       CAP_AUDIT_READ       },
-	{ "audit_write",      CAP_AUDIT_WRITE      },
-	{ "audit_control",    CAP_AUDIT_CONTROL    },
-	{ "setfcap",          CAP_SETFCAP          },
-	{ "mac_override",     CAP_MAC_OVERRIDE     },
-	{ "mac_admin",        CAP_MAC_ADMIN        },
-	{ "syslog",           CAP_SYSLOG           },
-	{ "wake_alarm",       CAP_WAKE_ALARM       },
-	{ "block_suspend",    CAP_BLOCK_SUSPEND    },
+	{ "chown",              CAP_CHOWN              },
+	{ "dac_override",       CAP_DAC_OVERRIDE       },
+	{ "dac_read_search",    CAP_DAC_READ_SEARCH    },
+	{ "fowner",             CAP_FOWNER             },
+	{ "fsetid",             CAP_FSETID             },
+	{ "kill",               CAP_KILL               },
+	{ "setgid",             CAP_SETGID             },
+	{ "setuid",             CAP_SETUID             },
+	{ "setpcap",            CAP_SETPCAP            },
+	{ "linux_immutable",    CAP_LINUX_IMMUTABLE    },
+	{ "net_bind_service",   CAP_NET_BIND_SERVICE   },
+	{ "net_broadcast",      CAP_NET_BROADCAST      },
+	{ "net_admin",          CAP_NET_ADMIN          },
+	{ "net_raw",            CAP_NET_RAW            },
+	{ "ipc_lock",           CAP_IPC_LOCK           },
+	{ "ipc_owner",          CAP_IPC_OWNER          },
+	{ "sys_module",         CAP_SYS_MODULE         },
+	{ "sys_rawio",          CAP_SYS_RAWIO          },
+	{ "sys_chroot",         CAP_SYS_CHROOT         },
+	{ "sys_ptrace",         CAP_SYS_PTRACE         },
+	{ "sys_pacct",          CAP_SYS_PACCT          },
+	{ "sys_admin",          CAP_SYS_ADMIN          },
+	{ "sys_boot",           CAP_SYS_BOOT           },
+	{ "sys_nice",           CAP_SYS_NICE           },
+	{ "sys_resource",       CAP_SYS_RESOURCE       },
+	{ "sys_time",           CAP_SYS_TIME           },
+	{ "sys_tty_config",     CAP_SYS_TTY_CONFIG     },
+	{ "mknod",              CAP_MKNOD              },
+	{ "lease",              CAP_LEASE              },
+	{ "audit_write",        CAP_AUDIT_WRITE        },
+	{ "audit_control",      CAP_AUDIT_CONTROL      },
+	{ "setfcap",            CAP_SETFCAP            },
+	{ "mac_override",       CAP_MAC_OVERRIDE       },
+	{ "mac_admin",          CAP_MAC_ADMIN          },
+	{ "syslog",             CAP_SYSLOG             },
+	{ "wake_alarm",         CAP_WAKE_ALARM         },
+	{ "block_suspend",      CAP_BLOCK_SUSPEND      },
+	{ "audit_read",         CAP_AUDIT_READ         },
+	{ "perfmon",            CAP_PERFMON            },
+	{ "bpf",                CAP_BPF                },
+	{ "checkpoint_restore", CAP_CHECKPOINT_RESTORE },
 #endif
 };
 
diff --git a/src/lxc/macro.h b/src/lxc/macro.h
index 4882b1781e..24d80fe16e 100644
--- a/src/lxc/macro.h
+++ b/src/lxc/macro.h
@@ -85,6 +85,18 @@
 #define CAP_AUDIT_READ 37
 #endif
 
+#ifndef CAP_PERFMON
+#define CAP_PERFMON 38
+#endif
+
+#ifndef CAP_BPF
+#define CAP_BPF 39
+#endif
+
+#ifndef CAP_CHECKPOINT_RESTORE
+#define CAP_CHECKPOINT_RESTORE 40
+#endif
+
 /* prctl */
 #ifndef PR_CAPBSET_READ
 #define PR_CAPBSET_READ 23

From fa934e3e24bd08ab1b49f5bd3aeff0406eff12f0 Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner at ubuntu.com>
Date: Mon, 4 Jan 2021 11:15:34 +0100
Subject: [PATCH 4/6] macro: define all capabilities

Fixes: #3612
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
---
 src/lxc/macro.h | 134 ++++++++++++++++++++++++++++++++++++++++++------
 1 file changed, 119 insertions(+), 15 deletions(-)

diff --git a/src/lxc/macro.h b/src/lxc/macro.h
index 24d80fe16e..092782aab8 100644
--- a/src/lxc/macro.h
+++ b/src/lxc/macro.h
@@ -37,64 +37,168 @@
 #endif
 
 /* capabilities */
+#ifndef CAP_CHOWN
+#define CAP_CHOWN            	0
+#endif
+
+#ifndef CAP_DAC_OVERRIDE
+#define CAP_DAC_OVERRIDE     	1
+#endif
+
+#ifndef CAP_DAC_READ_SEARCH
+#define CAP_DAC_READ_SEARCH  	2
+#endif
+
+#ifndef CAP_FOWNER
+#define CAP_FOWNER           	3
+#endif
+
+#ifndef CAP_FSETID
+#define CAP_FSETID           	4
+#endif
+
+#ifndef CAP_KILL
+#define CAP_KILL             	5
+#endif
+
 #ifndef CAP_SETGID
-#define CAP_SETGID 6
+#define CAP_SETGID           	6
 #endif
 
 #ifndef CAP_SETUID
-#define CAP_SETUID 7
+#define CAP_SETUID           	7
+#endif
+
+#ifndef CAP_SETPCAP
+#define CAP_SETPCAP          	8
+#endif
+
+#ifndef CAP_LINUX_IMMUTABLE
+#define CAP_LINUX_IMMUTABLE  	9
+#endif
+
+#ifndef CAP_NET_BIND_SERVICE
+#define CAP_NET_BIND_SERVICE 	10
+#endif
+
+#ifndef CAP_NET_BROADCAST
+#define CAP_NET_BROADCAST    	11
+#endif
+
+#ifndef CAP_NET_ADMIN
+#define CAP_NET_ADMIN        	12
+#endif
+
+#ifndef CAP_NET_RAW
+#define CAP_NET_RAW          	13
+#endif
+
+#ifndef CAP_IPC_LOCK
+#define CAP_IPC_LOCK         	14
+#endif
+
+#ifndef CAP_IPC_OWNER
+#define CAP_IPC_OWNER        	15
+#endif
+
+#ifndef CAP_SYS_MODULE
+#define CAP_SYS_MODULE       	16
+#endif
+
+#ifndef CAP_SYS_RAWIO
+#define CAP_SYS_RAWIO        	17
+#endif
+
+#ifndef CAP_SYS_CHROOT
+#define CAP_SYS_CHROOT       	18
+#endif
+
+#ifndef CAP_SYS_PTRACE
+#define CAP_SYS_PTRACE       	19
+#endif
+
+#ifndef CAP_SYS_PACCT
+#define CAP_SYS_PACCT        	20
 #endif
 
 #ifndef CAP_SYS_ADMIN
-#define CAP_SYS_ADMIN 21
+#define CAP_SYS_ADMIN        	21
+#endif
+
+#ifndef CAP_SYS_BOOT
+#define CAP_SYS_BOOT         	22
+#endif
+
+#ifndef CAP_SYS_NICE
+#define CAP_SYS_NICE         	23
+#endif
+
+#ifndef CAP_SYS_RESOURCE
+#define CAP_SYS_RESOURCE     	24
+#endif
+
+#ifndef CAP_SYS_TIME
+#define CAP_SYS_TIME         	25
+#endif
+
+#ifndef CAP_SYS_TTY_CONFIG
+#define CAP_SYS_TTY_CONFIG   	26
+#endif
+
+#ifndef CAP_MKNOD
+#define CAP_MKNOD            	27
+#endif
+
+#ifndef CAP_LEASE
+#define CAP_LEASE            	28
 #endif
 
 #ifndef CAP_AUDIT_WRITE
-#define CAP_AUDIT_WRITE 29
+#define CAP_AUDIT_WRITE      	29
 #endif
 
 #ifndef CAP_AUDIT_CONTROL
-#define CAP_AUDIT_CONTROL 30
+#define CAP_AUDIT_CONTROL    	30
 #endif
 
 #ifndef CAP_SETFCAP
-#define CAP_SETFCAP 31
+#define CAP_SETFCAP	     	31
 #endif
 
 #ifndef CAP_MAC_OVERRIDE
-#define CAP_MAC_OVERRIDE 32
+#define CAP_MAC_OVERRIDE     	32
 #endif
 
 #ifndef CAP_MAC_ADMIN
-#define CAP_MAC_ADMIN 33
+#define CAP_MAC_ADMIN        	33
 #endif
 
 #ifndef CAP_SYSLOG
-#define CAP_SYSLOG 34
+#define CAP_SYSLOG           	34
 #endif
 
 #ifndef CAP_WAKE_ALARM
-#define CAP_WAKE_ALARM 35
+#define CAP_WAKE_ALARM       	35
 #endif
 
 #ifndef CAP_BLOCK_SUSPEND
-#define CAP_BLOCK_SUSPEND 36
+#define CAP_BLOCK_SUSPEND    	36
 #endif
 
 #ifndef CAP_AUDIT_READ
-#define CAP_AUDIT_READ 37
+#define CAP_AUDIT_READ		37
 #endif
 
 #ifndef CAP_PERFMON
-#define CAP_PERFMON 38
+#define CAP_PERFMON		38
 #endif
 
 #ifndef CAP_BPF
-#define CAP_BPF 39
+#define CAP_BPF			39
 #endif
 
 #ifndef CAP_CHECKPOINT_RESTORE
-#define CAP_CHECKPOINT_RESTORE 40
+#define CAP_CHECKPOINT_RESTORE	40
 #endif
 
 /* prctl */

From 309ae2876fe9f58a8db21c5218b859cfc441e597 Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner at ubuntu.com>
Date: Mon, 4 Jan 2021 11:06:02 +0100
Subject: [PATCH 5/6] conf: add lxc_wants_cap() helper

Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
---
 src/lxc/cgroups/cgfsng.c | 5 +----
 src/lxc/conf.h           | 9 +++++++++
 2 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/src/lxc/cgroups/cgfsng.c b/src/lxc/cgroups/cgfsng.c
index 0078b3c858..bf181987f1 100644
--- a/src/lxc/cgroups/cgfsng.c
+++ b/src/lxc/cgroups/cgfsng.c
@@ -1832,10 +1832,7 @@ __cgfsng_ops static bool cgfsng_mount(struct cgroup_ops *ops,
 	}
 
 	if (!wants_force_mount) {
-		if (!lxc_list_empty(&handler->conf->keepcaps))
-			wants_force_mount = !in_caplist(CAP_SYS_ADMIN, &handler->conf->keepcaps);
-		else
-			wants_force_mount = in_caplist(CAP_SYS_ADMIN, &handler->conf->caps);
+		wants_force_mount = lxc_wants_cap(CAP_SYS_ADMIN, handler->conf);
 
 		/*
 		 * Most recent distro versions currently have init system that
diff --git a/src/lxc/conf.h b/src/lxc/conf.h
index 84b0f81b0f..5a501b442a 100644
--- a/src/lxc/conf.h
+++ b/src/lxc/conf.h
@@ -514,6 +514,15 @@ __hidden extern int run_script(const char *name, const char *section, const char
 __hidden extern int run_script_argv(const char *name, unsigned int hook_version, const char *section,
 				    const char *script, const char *hookname, char **argsin);
 __hidden extern int in_caplist(int cap, struct lxc_list *caps);
+
+static inline int lxc_wants_cap(int cap, struct lxc_conf *conf)
+{
+	if (!lxc_list_empty(&conf->keepcaps))
+		return !in_caplist(cap, &conf->keepcaps);
+
+	return in_caplist(cap, &conf->caps);
+}
+
 __hidden extern int setup_sysctl_parameters(struct lxc_list *sysctls);
 __hidden extern int lxc_clear_sysctls(struct lxc_conf *c, const char *key);
 __hidden extern int setup_proc_filesystem(struct lxc_list *procs, pid_t pid);

From d84b26bc8b531c8a8491b6c2061146d958acb63a Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner at ubuntu.com>
Date: Mon, 4 Jan 2021 11:21:53 +0100
Subject: [PATCH 6/6] conf: fix CAP_NET_ADMIN-based mount handling

Fixes: e8b9c9ec6fb9 ("unmounted proc/sys/net if dropping CAP_NET_ADMIN")
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
---
 src/lxc/conf.c | 4 ++--
 src/lxc/conf.h | 6 +++++-
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index 30870aa5b3..3ddd30bf20 100644
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -640,8 +640,8 @@ static int lxc_mount_auto_mounts(struct lxc_conf *conf, int flags, struct lxc_ha
 		{ 0,                  0,                   NULL,                                             NULL,                         NULL,    0,                                               NULL, 0 }
 	};
 
-	bool has_cap_net_admin = in_caplist(CAP_NET_ADMIN, &conf->caps);
-	for (i = 0; default_mounts[i].match_mask; i++) {
+        bool has_cap_net_admin = lxc_wants_cap(CAP_NET_ADMIN, conf);
+        for (i = 0; default_mounts[i].match_mask; i++) {
 		__do_free char *destination = NULL, *source = NULL;
 		int saved_errno;
 		unsigned long mflags;
diff --git a/src/lxc/conf.h b/src/lxc/conf.h
index 5a501b442a..46bab5b303 100644
--- a/src/lxc/conf.h
+++ b/src/lxc/conf.h
@@ -15,6 +15,7 @@
 #include <sys/types.h>
 #include <sys/vfs.h>
 
+#include "caps.h"
 #include "compiler.h"
 #include "config.h"
 #include "list.h"
@@ -515,8 +516,11 @@ __hidden extern int run_script_argv(const char *name, unsigned int hook_version,
 				    const char *script, const char *hookname, char **argsin);
 __hidden extern int in_caplist(int cap, struct lxc_list *caps);
 
-static inline int lxc_wants_cap(int cap, struct lxc_conf *conf)
+static inline bool lxc_wants_cap(int cap, struct lxc_conf *conf)
 {
+	if (lxc_caps_last_cap() < cap)
+		return false;
+
 	if (!lxc_list_empty(&conf->keepcaps))
 		return !in_caplist(cap, &conf->keepcaps);