qemu-kvm/kvm-virtiofs-drop-remapped-security.capability-xattr-as-.patch

From 6a0564e81d5e329f955c4391809daf248f078481 Mon Sep 17 00:00:00 2001
From: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
Date: Thu, 4 Mar 2021 15:49:01 -0500
Subject: [PATCH 4/4] virtiofs: drop remapped security.capability xattr as
 needed

RH-Author: Dr. David Alan Gilbert <dgilbert@redhat.com>
Message-id: <20210304154901.47930-3-dgilbert@redhat.com>
Patchwork-id: 101305
O-Subject: [RHEL-AV-8.4.0 qemu-kvm PATCH 2/2] virtiofs: drop remapped security.capability xattr as needed
Bugzilla: 1935071
RH-Acked-by: Connor Kuehl <ckuehl@redhat.com>
RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>

From: "Dr. David Alan Gilbert" <dgilbert@redhat.com>

On Linux, the 'security.capability' xattr holds a set of
capabilities that can change when an executable is run, giving
a limited form of privilege escalation to those programs that
the writer of the file deemed worthy.

Any write causes the 'security.capability' xattr to be dropped,
stopping anyone from gaining privilege by modifying a blessed
file.

Fuse relies on the daemon to do this dropping, and in turn the
daemon relies on the host kernel to drop the xattr for it.  However,
with the addition of -o xattrmap, the xattr that the guest
stores its capabilities in is now not the same as the one that
the host kernel automatically clears.

Where the mapping changes 'security.capability', explicitly clear
the remapped name to preserve the same behaviour.

This bug is assigned CVE-2021-20263.

Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Reviewed-by: Vivek Goyal <vgoyal@redhat.com>
(cherry picked from commit e586edcb410543768ef009eaa22a2d9dd4a53846)
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
  Downstream slight context difference due to missing d64907ac FUSE_HANDLE_KILLPRIV_V2
Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
---
 docs/tools/virtiofsd.rst         |  4 ++
 tools/virtiofsd/passthrough_ll.c | 77 +++++++++++++++++++++++++++++++-
 2 files changed, 80 insertions(+), 1 deletion(-)

diff --git a/docs/tools/virtiofsd.rst b/docs/tools/virtiofsd.rst
index 5b3be8a6d6..6e0fc94005 100644
--- a/docs/tools/virtiofsd.rst
+++ b/docs/tools/virtiofsd.rst
@@ -228,6 +228,10 @@ The 'map' type adds a number of separate rules to add **prepend** as a prefix
 to the matched **key** (or all attributes if **key** is empty).
 There may be at most one 'map' rule and it must be the last rule in the set.
 
+Note: When the 'security.capability' xattr is remapped, the daemon has to do
+extra work to remove it during many operations, which the host kernel normally
+does itself.
+
 xattr-mapping Examples
 ----------------------
 
diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough_ll.c
index f06074d81f..9c33b0344b 100644
--- a/tools/virtiofsd/passthrough_ll.c
+++ b/tools/virtiofsd/passthrough_ll.c
@@ -160,6 +160,7 @@ struct lo_data {
     int posix_lock;
     int xattr;
     char *xattrmap;
+    char *xattr_security_capability;
     char *source;
     char *modcaps;
     double timeout;
@@ -226,6 +227,8 @@ static __thread bool cap_loaded = 0;
 
 static struct lo_inode *lo_find(struct lo_data *lo, struct stat *st,
                                 uint64_t mnt_id);
+static int xattr_map_client(const struct lo_data *lo, const char *client_name,
+                            char **out_name);
 
 static int is_dot_or_dotdot(const char *name)
 {
@@ -365,6 +368,37 @@ out:
     return ret;
 }
 
+/*
+ * The host kernel normally drops security.capability xattr's on
+ * any write, however if we're remapping xattr names we need to drop
+ * whatever the clients security.capability is actually stored as.
+ */
+static int drop_security_capability(const struct lo_data *lo, int fd)
+{
+    if (!lo->xattr_security_capability) {
+        /* We didn't remap the name, let the host kernel do it */
+        return 0;
+    }
+    if (!fremovexattr(fd, lo->xattr_security_capability)) {
+        /* All good */
+        return 0;
+    }
+
+    switch (errno) {
+    case ENODATA:
+        /* Attribute didn't exist, that's fine */
+        return 0;
+
+    case ENOTSUP:
+        /* FS didn't support attribute anyway, also fine */
+        return 0;
+
+    default:
+        /* Hmm other error */
+        return errno;
+    }
+}
+
 static void lo_map_init(struct lo_map *map)
 {
     map->elems = NULL;
@@ -718,6 +752,11 @@ static void lo_setattr(fuse_req_t req, fuse_ino_t ino, struct stat *attr,
         uid_t uid = (valid & FUSE_SET_ATTR_UID) ? attr->st_uid : (uid_t)-1;
         gid_t gid = (valid & FUSE_SET_ATTR_GID) ? attr->st_gid : (gid_t)-1;
 
+        saverr = drop_security_capability(lo, ifd);
+        if (saverr) {
+            goto out_err;
+        }
+
         res = fchownat(ifd, "", uid, gid, AT_EMPTY_PATH | AT_SYMLINK_NOFOLLOW);
         if (res == -1) {
             saverr = errno;
@@ -737,6 +776,14 @@ static void lo_setattr(fuse_req_t req, fuse_ino_t ino, struct stat *attr,
             }
         }
 
+        saverr = drop_security_capability(lo, truncfd);
+        if (saverr) {
+            if (!fi) {
+                close(truncfd);
+            }
+            goto out_err;
+        }
+
         res = ftruncate(truncfd, attr->st_size);
         saverr = res == -1 ? errno : 0;
         if (!fi) {
@@ -1727,6 +1774,13 @@ static int lo_do_open(struct lo_data *lo, struct lo_inode *inode,
         if (fd < 0) {
             return -fd;
         }
+        if (fi->flags & (O_TRUNC)) {
+            int err = drop_security_capability(lo, fd);
+            if (err) {
+                close(fd);
+                return err;
+            }
+        }
     }
 
     pthread_mutex_lock(&lo->mutex);
@@ -2115,6 +2169,12 @@ static void lo_write_buf(fuse_req_t req, fuse_ino_t ino,
              "lo_write_buf(ino=%" PRIu64 ", size=%zd, off=%lu)\n", ino,
              out_buf.buf[0].size, (unsigned long)off);
 
+    res = drop_security_capability(lo_data(req), out_buf.buf[0].fd);
+    if (res) {
+        fuse_reply_err(req, res);
+        return;
+    }
+
     /*
      * If kill_priv is set, drop CAP_FSETID which should lead to kernel
      * clearing setuid/setgid on file.
@@ -2354,6 +2414,7 @@ static void parse_xattrmap(struct lo_data *lo)
 {
     const char *map = lo->xattrmap;
     const char *tmp;
+    int ret;
 
     lo->xattr_map_nentries = 0;
     while (*map) {
@@ -2384,7 +2445,7 @@ static void parse_xattrmap(struct lo_data *lo)
              * the last entry.
              */
             parse_xattrmap_map(lo, map, sep);
-            return;
+            break;
         } else {
             fuse_log(FUSE_LOG_ERR,
                      "%s: Unexpected type;"
@@ -2453,6 +2514,19 @@ static void parse_xattrmap(struct lo_data *lo)
         fuse_log(FUSE_LOG_ERR, "Empty xattr map\n");
         exit(1);
     }
+
+    ret = xattr_map_client(lo, "security.capability",
+                           &lo->xattr_security_capability);
+    if (ret) {
+        fuse_log(FUSE_LOG_ERR, "Failed to map security.capability: %s\n",
+                strerror(ret));
+        exit(1);
+    }
+    if (!strcmp(lo->xattr_security_capability, "security.capability")) {
+        /* 1-1 mapping, don't need to do anything */
+        free(lo->xattr_security_capability);
+        lo->xattr_security_capability = NULL;
+    }
 }
 
 /*
@@ -3481,6 +3555,7 @@ static void fuse_lo_data_cleanup(struct lo_data *lo)
 
     free(lo->xattrmap);
     free_xattrmap(lo);
+    free(lo->xattr_security_capability);
     free(lo->source);
 }
 
-- 
2.27.0
Synchronization with qemu-kvm-5.2.0-11.el8 2021-03-15 06:02:41 +00:00			`From 6a0564e81d5e329f955c4391809daf248f078481 Mon Sep 17 00:00:00 2001`
			`From: "Dr. David Alan Gilbert" <dgilbert@redhat.com>`
			`Date: Thu, 4 Mar 2021 15:49:01 -0500`
			`Subject: [PATCH 4/4] virtiofs: drop remapped security.capability xattr as`
			`needed`

			`RH-Author: Dr. David Alan Gilbert <dgilbert@redhat.com>`
			`Message-id: <20210304154901.47930-3-dgilbert@redhat.com>`
			`Patchwork-id: 101305`
			`O-Subject: [RHEL-AV-8.4.0 qemu-kvm PATCH 2/2] virtiofs: drop remapped security.capability xattr as needed`
			`Bugzilla: 1935071`
			`RH-Acked-by: Connor Kuehl <ckuehl@redhat.com>`
			`RH-Acked-by: Laszlo Ersek <lersek@redhat.com>`
			`RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>`

			`From: "Dr. David Alan Gilbert" <dgilbert@redhat.com>`

			`On Linux, the 'security.capability' xattr holds a set of`
			`capabilities that can change when an executable is run, giving`
			`a limited form of privilege escalation to those programs that`
			`the writer of the file deemed worthy.`

			`Any write causes the 'security.capability' xattr to be dropped,`
			`stopping anyone from gaining privilege by modifying a blessed`
			`file.`

			`Fuse relies on the daemon to do this dropping, and in turn the`
			`daemon relies on the host kernel to drop the xattr for it. However,`
			`with the addition of -o xattrmap, the xattr that the guest`
			`stores its capabilities in is now not the same as the one that`
			`the host kernel automatically clears.`

			`Where the mapping changes 'security.capability', explicitly clear`
			`the remapped name to preserve the same behaviour.`

			`This bug is assigned CVE-2021-20263.`

			`Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>`
			`Reviewed-by: Vivek Goyal <vgoyal@redhat.com>`
			`(cherry picked from commit e586edcb410543768ef009eaa22a2d9dd4a53846)`
			`Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>`
			`Downstream slight context difference due to missing d64907ac FUSE_HANDLE_KILLPRIV_V2`
			`Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>`
			`---`
			`docs/tools/virtiofsd.rst \| 4 ++`
			`tools/virtiofsd/passthrough_ll.c \| 77 +++++++++++++++++++++++++++++++-`
			`2 files changed, 80 insertions(+), 1 deletion(-)`

			`diff --git a/docs/tools/virtiofsd.rst b/docs/tools/virtiofsd.rst`
			`index 5b3be8a6d6..6e0fc94005 100644`
			`--- a/docs/tools/virtiofsd.rst`
			`+++ b/docs/tools/virtiofsd.rst`
			`@@ -228,6 +228,10 @@ The 'map' type adds a number of separate rules to add prepend as a prefix`
			`to the matched key (or all attributes if key is empty).`
			`There may be at most one 'map' rule and it must be the last rule in the set.`

			`+Note: When the 'security.capability' xattr is remapped, the daemon has to do`
			`+extra work to remove it during many operations, which the host kernel normally`
			`+does itself.`
			`+`
			`xattr-mapping Examples`
			`----------------------`

			`diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough_ll.c`
			`index f06074d81f..9c33b0344b 100644`
			`--- a/tools/virtiofsd/passthrough_ll.c`
			`+++ b/tools/virtiofsd/passthrough_ll.c`
			`@@ -160,6 +160,7 @@ struct lo_data {`
			`int posix_lock;`
			`int xattr;`
			`char *xattrmap;`
			`+ char *xattr_security_capability;`
			`char *source;`
			`char *modcaps;`
			`double timeout;`
			`@@ -226,6 +227,8 @@ static __thread bool cap_loaded = 0;`

			`static struct lo_inode lo_find(struct lo_data lo, struct stat *st,`
			`uint64_t mnt_id);`
			`+static int xattr_map_client(const struct lo_data lo, const char client_name,`
			`+ char **out_name);`

			`static int is_dot_or_dotdot(const char *name)`
			`{`
			`@@ -365,6 +368,37 @@ out:`
			`return ret;`
			`}`

			`+/*`
			`+ * The host kernel normally drops security.capability xattr's on`
			`+ * any write, however if we're remapping xattr names we need to drop`
			`+ * whatever the clients security.capability is actually stored as.`
			`+ */`
			`+static int drop_security_capability(const struct lo_data *lo, int fd)`
			`+{`
			`+ if (!lo->xattr_security_capability) {`
			`+ /* We didn't remap the name, let the host kernel do it */`
			`+ return 0;`
			`+ }`
			`+ if (!fremovexattr(fd, lo->xattr_security_capability)) {`
			`+ /* All good */`
			`+ return 0;`
			`+ }`
			`+`
			`+ switch (errno) {`
			`+ case ENODATA:`
			`+ /* Attribute didn't exist, that's fine */`
			`+ return 0;`
			`+`
			`+ case ENOTSUP:`
			`+ /* FS didn't support attribute anyway, also fine */`
			`+ return 0;`
			`+`
			`+ default:`
			`+ /* Hmm other error */`
			`+ return errno;`
			`+ }`
			`+}`
			`+`
			`static void lo_map_init(struct lo_map *map)`
			`{`
			`map->elems = NULL;`
			`@@ -718,6 +752,11 @@ static void lo_setattr(fuse_req_t req, fuse_ino_t ino, struct stat *attr,`
			`uid_t uid = (valid & FUSE_SET_ATTR_UID) ? attr->st_uid : (uid_t)-1;`
			`gid_t gid = (valid & FUSE_SET_ATTR_GID) ? attr->st_gid : (gid_t)-1;`

			`+ saverr = drop_security_capability(lo, ifd);`
			`+ if (saverr) {`
			`+ goto out_err;`
			`+ }`
			`+`
			`res = fchownat(ifd, "", uid, gid, AT_EMPTY_PATH \| AT_SYMLINK_NOFOLLOW);`
			`if (res == -1) {`
			`saverr = errno;`
			`@@ -737,6 +776,14 @@ static void lo_setattr(fuse_req_t req, fuse_ino_t ino, struct stat *attr,`
			`}`
			`}`

			`+ saverr = drop_security_capability(lo, truncfd);`
			`+ if (saverr) {`
			`+ if (!fi) {`
			`+ close(truncfd);`
			`+ }`
			`+ goto out_err;`
			`+ }`
			`+`
			`res = ftruncate(truncfd, attr->st_size);`
			`saverr = res == -1 ? errno : 0;`
			`if (!fi) {`
			`@@ -1727,6 +1774,13 @@ static int lo_do_open(struct lo_data lo, struct lo_inode inode,`
			`if (fd < 0) {`
			`return -fd;`
			`}`
			`+ if (fi->flags & (O_TRUNC)) {`
			`+ int err = drop_security_capability(lo, fd);`
			`+ if (err) {`
			`+ close(fd);`
			`+ return err;`
			`+ }`
			`+ }`
			`}`

			`pthread_mutex_lock(&lo->mutex);`
			`@@ -2115,6 +2169,12 @@ static void lo_write_buf(fuse_req_t req, fuse_ino_t ino,`
			`"lo_write_buf(ino=%" PRIu64 ", size=%zd, off=%lu)\n", ino,`
			`out_buf.buf[0].size, (unsigned long)off);`

			`+ res = drop_security_capability(lo_data(req), out_buf.buf[0].fd);`
			`+ if (res) {`
			`+ fuse_reply_err(req, res);`
			`+ return;`
			`+ }`
			`+`
			`/*`
			`* If kill_priv is set, drop CAP_FSETID which should lead to kernel`
			`* clearing setuid/setgid on file.`
			`@@ -2354,6 +2414,7 @@ static void parse_xattrmap(struct lo_data *lo)`
			`{`
			`const char *map = lo->xattrmap;`
			`const char *tmp;`
			`+ int ret;`

			`lo->xattr_map_nentries = 0;`
			`while (*map) {`
			`@@ -2384,7 +2445,7 @@ static void parse_xattrmap(struct lo_data *lo)`
			`* the last entry.`
			`*/`
			`parse_xattrmap_map(lo, map, sep);`
			`- return;`
			`+ break;`
			`} else {`
			`fuse_log(FUSE_LOG_ERR,`
			`"%s: Unexpected type;"`
			`@@ -2453,6 +2514,19 @@ static void parse_xattrmap(struct lo_data *lo)`
			`fuse_log(FUSE_LOG_ERR, "Empty xattr map\n");`
			`exit(1);`
			`}`
			`+`
			`+ ret = xattr_map_client(lo, "security.capability",`
			`+ &lo->xattr_security_capability);`
			`+ if (ret) {`
			`+ fuse_log(FUSE_LOG_ERR, "Failed to map security.capability: %s\n",`
			`+ strerror(ret));`
			`+ exit(1);`
			`+ }`
			`+ if (!strcmp(lo->xattr_security_capability, "security.capability")) {`
			`+ /* 1-1 mapping, don't need to do anything */`
			`+ free(lo->xattr_security_capability);`
			`+ lo->xattr_security_capability = NULL;`
			`+ }`
			`}`

			`/*`
			`@@ -3481,6 +3555,7 @@ static void fuse_lo_data_cleanup(struct lo_data *lo)`

			`free(lo->xattrmap);`
			`free_xattrmap(lo);`
			`+ free(lo->xattr_security_capability);`
			`free(lo->source);`
			`}`

			`--`
			`2.27.0`