113 lines
4.1 KiB
Diff
113 lines
4.1 KiB
Diff
|
From 8727e4904e7a6588e39f231d837f4527f265e47e Mon Sep 17 00:00:00 2001
|
||
|
From: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
|
||
|
Date: Tue, 5 May 2020 16:35:59 +0100
|
||
|
Subject: [PATCH 8/9] virtiofsd: only retain file system capabilities
|
||
|
|
||
|
RH-Author: Dr. David Alan Gilbert <dgilbert@redhat.com>
|
||
|
Message-id: <20200505163600.22956-7-dgilbert@redhat.com>
|
||
|
Patchwork-id: 96272
|
||
|
O-Subject: [RHEL-AV-8.2.1 qemu-kvm PATCH 6/7] virtiofsd: only retain file system capabilities
|
||
|
Bugzilla: 1817445
|
||
|
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
|
||
|
RH-Acked-by: Max Reitz <mreitz@redhat.com>
|
||
|
RH-Acked-by: Michael S. Tsirkin <mst@redhat.com>
|
||
|
|
||
|
From: Stefan Hajnoczi <stefanha@redhat.com>
|
||
|
|
||
|
virtiofsd runs as root but only needs a subset of root's Linux
|
||
|
capabilities(7). As a file server its purpose is to create and access
|
||
|
files on behalf of a client. It needs to be able to access files with
|
||
|
arbitrary uid/gid owners. It also needs to be create device nodes.
|
||
|
|
||
|
Introduce a Linux capabilities(7) whitelist and drop all capabilities
|
||
|
that we don't need, making the virtiofsd process less powerful than a
|
||
|
regular uid root process.
|
||
|
|
||
|
# cat /proc/PID/status
|
||
|
...
|
||
|
Before After
|
||
|
CapInh: 0000000000000000 0000000000000000
|
||
|
CapPrm: 0000003fffffffff 00000000880000df
|
||
|
CapEff: 0000003fffffffff 00000000880000df
|
||
|
CapBnd: 0000003fffffffff 0000000000000000
|
||
|
CapAmb: 0000000000000000 0000000000000000
|
||
|
|
||
|
Note that file capabilities cannot be used to achieve the same effect on
|
||
|
the virtiofsd executable because mount is used during sandbox setup.
|
||
|
Therefore we drop capabilities programmatically at the right point
|
||
|
during startup.
|
||
|
|
||
|
This patch only affects the sandboxed child process. The parent process
|
||
|
that sits in waitpid(2) still has full root capabilities and will be
|
||
|
addressed in the next patch.
|
||
|
|
||
|
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
|
||
|
Message-Id: <20200416164907.244868-2-stefanha@redhat.com>
|
||
|
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
|
||
|
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
|
||
|
(cherry picked from commit a59feb483b8fae24d043569ccfcc97ea23d54a02)
|
||
|
Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
|
||
|
---
|
||
|
tools/virtiofsd/passthrough_ll.c | 38 ++++++++++++++++++++++++++++++++++++++
|
||
|
1 file changed, 38 insertions(+)
|
||
|
|
||
|
diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough_ll.c
|
||
|
index 614ba55..6358874 100644
|
||
|
--- a/tools/virtiofsd/passthrough_ll.c
|
||
|
+++ b/tools/virtiofsd/passthrough_ll.c
|
||
|
@@ -2723,6 +2723,43 @@ static void setup_mounts(const char *source)
|
||
|
}
|
||
|
|
||
|
/*
|
||
|
+ * Only keep whitelisted capabilities that are needed for file system operation
|
||
|
+ */
|
||
|
+static void setup_capabilities(void)
|
||
|
+{
|
||
|
+ pthread_mutex_lock(&cap.mutex);
|
||
|
+ capng_restore_state(&cap.saved);
|
||
|
+
|
||
|
+ /*
|
||
|
+ * Whitelist file system-related capabilities that are needed for a file
|
||
|
+ * server to act like root. Drop everything else like networking and
|
||
|
+ * sysadmin capabilities.
|
||
|
+ *
|
||
|
+ * Exclusions:
|
||
|
+ * 1. CAP_LINUX_IMMUTABLE is not included because it's only used via ioctl
|
||
|
+ * and we don't support that.
|
||
|
+ * 2. CAP_MAC_OVERRIDE is not included because it only seems to be
|
||
|
+ * used by the Smack LSM. Omit it until there is demand for it.
|
||
|
+ */
|
||
|
+ capng_setpid(syscall(SYS_gettid));
|
||
|
+ capng_clear(CAPNG_SELECT_BOTH);
|
||
|
+ capng_updatev(CAPNG_ADD, CAPNG_PERMITTED | CAPNG_EFFECTIVE,
|
||
|
+ CAP_CHOWN,
|
||
|
+ CAP_DAC_OVERRIDE,
|
||
|
+ CAP_DAC_READ_SEARCH,
|
||
|
+ CAP_FOWNER,
|
||
|
+ CAP_FSETID,
|
||
|
+ CAP_SETGID,
|
||
|
+ CAP_SETUID,
|
||
|
+ CAP_MKNOD,
|
||
|
+ CAP_SETFCAP);
|
||
|
+ capng_apply(CAPNG_SELECT_BOTH);
|
||
|
+
|
||
|
+ cap.saved = capng_save_state();
|
||
|
+ pthread_mutex_unlock(&cap.mutex);
|
||
|
+}
|
||
|
+
|
||
|
+/*
|
||
|
* Lock down this process to prevent access to other processes or files outside
|
||
|
* source directory. This reduces the impact of arbitrary code execution bugs.
|
||
|
*/
|
||
|
@@ -2732,6 +2769,7 @@ static void setup_sandbox(struct lo_data *lo, struct fuse_session *se,
|
||
|
setup_namespaces(lo, se);
|
||
|
setup_mounts(lo->source);
|
||
|
setup_seccomp(enable_syslog);
|
||
|
+ setup_capabilities();
|
||
|
}
|
||
|
|
||
|
/* Set the maximum number of open file descriptors */
|
||
|
--
|
||
|
1.8.3.1
|
||
|
|