From nobody Sat May 4 11:55:29 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) client-ip=216.205.24.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1624605804; cv=none; d=zohomail.com; s=zohoarc; b=ASgUqGSQqouyhZsAI5nbWyB0RcmkqSSvtuKxB50bp7Gn3KkCzBeeDCTzQMxXpqumwUTKsRyEp+AsfGzPp0F1ltmJkr9uKt3blP7lW3RvL0Mqfe6BEk+EIfw43XcDi+N7GU341UB8G3q3BcdcNV7qBk9/66lar6m+ngWotS7eF3E= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1624605804; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=6C62YqXEsB6Vg9PQUalLgeO33RKBpUvuQyBwDhw7V9g=; b=a6+KJsK7NkRCUTygSjZDIGNDvwv2+J2j1A9+L/mPyy4Q8Vc0Bh1QGtvz0XpycRmskt3DA+J+gSiWOxDLBmf53/bUUlpIaF8fMgoLTMde3wLKPdeKSyBq6C5AG3yfaE+fYHJpGq/104aRoeOHcD2LhSXosRdQsvzPo1+fIL+mBWA= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) by mx.zohomail.com with SMTPS id 1624605804880929.3108185569461; Fri, 25 Jun 2021 00:23:24 -0700 (PDT) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-37-CEbQZq4rPEOmiDJqNoqwFA-1; Fri, 25 Jun 2021 03:23:22 -0400 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 0D25979EE8; Fri, 25 Jun 2021 07:23:16 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id B6A6760C05; Fri, 25 Jun 2021 07:23:14 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 07B9D4A712; Fri, 25 Jun 2021 07:23:11 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 15P7N9mO013381 for ; Fri, 25 Jun 2021 03:23:09 -0400 Received: by smtp.corp.redhat.com (Postfix) id 9645F19C45; Fri, 25 Jun 2021 07:23:09 +0000 (UTC) Received: from localhost.localdomain (unknown [10.40.194.21]) by smtp.corp.redhat.com (Postfix) with ESMTP id 1B6881A26A for ; Fri, 25 Jun 2021 07:23:08 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1624605803; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=6C62YqXEsB6Vg9PQUalLgeO33RKBpUvuQyBwDhw7V9g=; b=g93Bz4eFkL5fFwPnLLnFCgvLpLk0YLANR8/u/jlItqQs6XwnF5l3keBr8qvghdm9bBCf7Q eUJLTmvsNJDZDCIjp/A/uOmFoc9dshIHyXLXSVHQ7j2k8+akKPVM5SM8qvynKm71cxuVGQ ea/G9Fo9BPCLzrvjdnzj88/O8CWXc/o= X-MC-Unique: CEbQZq4rPEOmiDJqNoqwFA-1 From: Michal Privoznik To: libvir-list@redhat.com Subject: [PATCH 1/2] virSetUIDGIDWithCaps: Don't drop CAP_SETPCAP right away Date: Fri, 25 Jun 2021 09:22:55 +0200 Message-Id: <9ce8db1627bfc4ae8b531afbd45fa94d20ca739d.1624605698.git.mprivozn@redhat.com> In-Reply-To: References: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23 X-loop: libvir-list@redhat.com X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) Content-Type: text/plain; charset="utf-8" There are few cases where we execute a virCommand with all caps cleared (virCommandClearCaps()). For instance dnsmasqCapsRefreshInternal() does just that. This means, that after fork() and before exec() the virSetUIDGIDWithCaps() is called. But since the caller did not want to change anything, just drop capabilities, these are the values of arguments: virSetUIDGIDWithCaps (uid=3D-1, gid=3D-1, groups=3D0x0, ngroups=3D0, capBits=3D0, clearExistingCaps=3Dtrue) This means that indeed all capabilities will be dropped, including CAP_SETPCAP. But this capability controls whether capabilities can be set, IOW whether capng_apply() succeeds. There are two calls of capng_apply() in the function. The CAP_SETPCAP is dropped after the first call and thus the other call (capng_apply(CAPNG_SELECT_BOUNDS);) fails. The solution is to keep the capability for as long as needed (just like CAP_SETGID and CAP_SETUID) and drop it only at the very end (just like CAP_SETGID and CAP_SETUID). Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=3D1949388 Signed-off-by: Michal Privoznik Reviewed-by: Martin Kletzander --- src/util/virutil.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/src/util/virutil.c b/src/util/virutil.c index 311cbbf93a..199d405286 100644 --- a/src/util/virutil.c +++ b/src/util/virutil.c @@ -1184,12 +1184,10 @@ virSetUIDGIDWithCaps(uid_t uid, gid_t gid, gid_t *g= roups, int ngroups, } # ifdef PR_CAPBSET_DROP /* If newer kernel, we need also need setpcap to change the bounding s= et */ - if ((capBits || need_setgid || need_setuid) && - !capng_have_capability(CAPNG_EFFECTIVE, CAP_SETPCAP)) { + if (!capng_have_capability(CAPNG_EFFECTIVE, CAP_SETPCAP)) { need_setpcap =3D true; - } - if (need_setpcap) capng_update(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED, CAP_SETPC= AP); + } # endif =20 /* Tell system we want to keep caps across uid change */ --=20 2.31.1 From nobody Sat May 4 11:55:29 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) client-ip=170.10.133.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1624605824; cv=none; d=zohomail.com; s=zohoarc; b=fyGSPLP3MbP0YK/BsavTpzyh9/sswjLuDP77GUZ/5Y52EOlAWesnHZDfNZ1GwuQKPzrkmALzdmFJf2EtJ9UD9W38GgANSF1GEzVM6tUz2xhq1bQ5lruElY/Gj78RTbj9bBlnB8GFjalo28svNhySvV1NzkFTRNWxBN0ja/y26ac= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1624605824; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=0Cta1tZYh42XgRKYNQiwQKbEt7aBfJu/yziQk7A55qw=; b=P2ckTxktf5Ea0va2IH1bQwNC8NFZvrDAEKWgHiIcL4Dyr3uKVvcV3YOlBK3bB/HD8ytTtiJMkAsiipXD9FoH2GEFc7oi1MRV7Vt7JnZeEBEu3Bi2p3CvMiAsexcVnZGq1kdux/IFAHOkn4zxQoGFOUvxEXtSe9zSHm9DqNtjBS4= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.zohomail.com with SMTPS id 1624605824494161.31038572754528; Fri, 25 Jun 2021 00:23:44 -0700 (PDT) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-344-1L4DWrloPGC8LMkY3eUA9A-1; Fri, 25 Jun 2021 03:23:41 -0400 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 41E158042A8; Fri, 25 Jun 2021 07:23:36 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id F3A5560240; Fri, 25 Jun 2021 07:23:35 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id B87934EA2F; Fri, 25 Jun 2021 07:23:35 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 15P7NAbf013386 for ; Fri, 25 Jun 2021 03:23:10 -0400 Received: by smtp.corp.redhat.com (Postfix) id 6D1501A26A; Fri, 25 Jun 2021 07:23:10 +0000 (UTC) Received: from localhost.localdomain (unknown [10.40.194.21]) by smtp.corp.redhat.com (Postfix) with ESMTP id E692919C45 for ; Fri, 25 Jun 2021 07:23:09 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1624605823; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=0Cta1tZYh42XgRKYNQiwQKbEt7aBfJu/yziQk7A55qw=; b=JMiGCdf9M7fwiV4JE0U0tNKuie6dxvlWpKMwIIBWZyhGvdte4hfla4QxY/+NRi3f5m6kAx jb/T3imrKBkSjjYNnSSCXQv9XoerHUzPalt5GCbmPr4bA6LqJwg568FVyewt09SdSPA8qG SkhB92YMepIx0gegs74oBGxX79EiaAY= X-MC-Unique: 1L4DWrloPGC8LMkY3eUA9A-1 From: Michal Privoznik To: libvir-list@redhat.com Subject: [PATCH 2/2] virSetUIDGIDWithCaps: Assume PR_CAPBSET_DROP is always defined Date: Fri, 25 Jun 2021 09:22:56 +0200 Message-Id: In-Reply-To: References: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23 X-loop: libvir-list@redhat.com X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) Content-Type: text/plain; charset="utf-8" Bounding set capabilities were introduced in kernel commit of v2.6.25-rc1~912. I guess it is safe to assume that all Linux hosts we ran on have at least that version or newer. Signed-off-by: Michal Privoznik --- src/util/virutil.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/src/util/virutil.c b/src/util/virutil.c index 199d405286..ed3d57662b 100644 --- a/src/util/virutil.c +++ b/src/util/virutil.c @@ -1182,13 +1182,12 @@ virSetUIDGIDWithCaps(uid_t uid, gid_t gid, gid_t *g= roups, int ngroups, need_setuid =3D true; capng_update(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED, CAP_SETUI= D); } -# ifdef PR_CAPBSET_DROP - /* If newer kernel, we need also need setpcap to change the bounding s= et */ + + /* We need also need setpcap to change the bounding set */ if (!capng_have_capability(CAPNG_EFFECTIVE, CAP_SETPCAP)) { need_setpcap =3D true; capng_update(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED, CAP_SETPC= AP); } -# endif =20 /* Tell system we want to keep caps across uid change */ if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0)) { --=20 2.31.1