From nobody Thu Dec 18 19:27:05 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1587055850; cv=none; d=zohomail.com; s=zohoarc; b=iH3fr3RehPchqs8YAA9v8qi5N0yC/3pb/rDXve1Xk9/G2SSnbMqzkHq0W3qQMIlqmsw+9ItmnOS8hN4aDWpqjxItEJo97oHRqLyGbBIARHIo5vsDmwBNK/LnssdzUD4JE0cHQbAl3nxbh8JKo3uGzeMGJ1l63N2C4fPNCXsQK+M= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1587055850; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=QZbd1wkLddIQWvgwrrzUlnRVaKwv8Al0ckS8kzN+P3s=; b=WyDoCOKea3QRk7PnYBrPeWsJoFjHHNACOmop8SKRPl+X7f5bRFq2vBs7x80V5bK1LOFmEEJd5YOh5VnODIO1Veq6xBQBxc3fDXme0QQ12eptCE45yGI4utrcZwAHqym4atVUiqmHG240Gf916wDusZjGJ4+Ccb0Fz4C/6bN0BZs= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail header.from= (p=none dis=none) header.from= Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1587055850684128.4116345009478; Thu, 16 Apr 2020 09:50:50 -0700 (PDT) Received: from localhost ([::1]:37122 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jP7iz-0008CH-FG for importer@patchew.org; Thu, 16 Apr 2020 12:50:49 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:32934) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jP7hg-0006g1-PI for qemu-devel@nongnu.org; Thu, 16 Apr 2020 12:49:29 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1jP7hf-0000IN-MW for qemu-devel@nongnu.org; Thu, 16 Apr 2020 12:49:28 -0400 Received: from us-smtp-2.mimecast.com ([207.211.31.81]:55620 helo=us-smtp-delivery-1.mimecast.com) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1jP7hf-0000Ee-J5 for qemu-devel@nongnu.org; Thu, 16 Apr 2020 12:49:27 -0400 Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-155-QD5d7MkdNyeKHbZO96_yzA-1; Thu, 16 Apr 2020 12:49:23 -0400 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 8D38B108839B for ; Thu, 16 Apr 2020 16:49:22 +0000 (UTC) Received: from localhost (ovpn-114-223.ams2.redhat.com [10.36.114.223]) by smtp.corp.redhat.com (Postfix) with ESMTP id 930CC5D9E2; Thu, 16 Apr 2020 16:49:16 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1587055765; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=QZbd1wkLddIQWvgwrrzUlnRVaKwv8Al0ckS8kzN+P3s=; b=ERNQKaO8GdCybNTIzLiBWBniegHwRJcXBIprTI0Eu7OOdGMlhd9HUDSphr1YX+95INZ8m0 V+MSuYjJjLKglHPpgNvrGJX2ExmN+MjyJQKG/irzNa0gokxWmbeJLIF2iDq14msooVLS7U SpCzHqEuS5PzkXg1Jpl3ewVOKA4XIZ8= X-MC-Unique: QD5d7MkdNyeKHbZO96_yzA-1 From: Stefan Hajnoczi To: qemu-devel@nongnu.org Subject: [PATCH 1/2] virtiofsd: only retain file system capabilities Date: Thu, 16 Apr 2020 17:49:06 +0100 Message-Id: <20200416164907.244868-2-stefanha@redhat.com> In-Reply-To: <20200416164907.244868-1-stefanha@redhat.com> References: <20200416164907.244868-1-stefanha@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 207.211.31.81 X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: virtio-fs@redhat.com, Stefan Hajnoczi , "Dr. David Alan Gilbert" , Vivek Goyal Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: fail (Header signature does not verify) Content-Type: text/plain; charset="utf-8" virtiofsd runs as root but only needs a subset of root's Linux capabilities(7). As a file server its purpose is to create and access files on behalf of a client. It needs to be able to access files with arbitrary uid/gid owners. It also needs to be create device nodes. Introduce a Linux capabilities(7) whitelist and drop all capabilities that we don't need, making the virtiofsd process less powerful than a regular uid root process. # cat /proc/PID/status ... Before After CapInh: 0000000000000000 0000000000000000 CapPrm: 0000003fffffffff 00000000880000df CapEff: 0000003fffffffff 00000000880000df CapBnd: 0000003fffffffff 0000000000000000 CapAmb: 0000000000000000 0000000000000000 Note that file capabilities cannot be used to achieve the same effect on the virtiofsd executable because mount is used during sandbox setup. Therefore we drop capabilities programmatically at the right point during startup. This patch only affects the sandboxed child process. The parent process that sits in waitpid(2) still has full root capabilities and will be addressed in the next patch. Signed-off-by: Stefan Hajnoczi Reviewed-by: Dr. David Alan Gilbert --- tools/virtiofsd/passthrough_ll.c | 38 ++++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough= _ll.c index 4c35c95b25..af97ba1c41 100644 --- a/tools/virtiofsd/passthrough_ll.c +++ b/tools/virtiofsd/passthrough_ll.c @@ -2695,6 +2695,43 @@ static void setup_mounts(const char *source) close(oldroot); } =20 +/* + * Only keep whitelisted capabilities that are needed for file system oper= ation + */ +static void setup_capabilities(void) +{ + pthread_mutex_lock(&cap.mutex); + capng_restore_state(&cap.saved); + + /* + * Whitelist file system-related capabilities that are needed for a fi= le + * server to act like root. Drop everything else like networking and + * sysadmin capabilities. + * + * Exclusions: + * 1. CAP_LINUX_IMMUTABLE is not included because it's only used via i= octl + * and we don't support that. + * 2. CAP_MAC_OVERRIDE is not included because it only seems to be + * used by the Smack LSM. Omit it until there is demand for it. + */ + capng_setpid(syscall(SYS_gettid)); + capng_clear(CAPNG_SELECT_BOTH); + capng_updatev(CAPNG_ADD, CAPNG_PERMITTED | CAPNG_EFFECTIVE, + CAP_CHOWN, + CAP_DAC_OVERRIDE, + CAP_DAC_READ_SEARCH, + CAP_FOWNER, + CAP_FSETID, + CAP_SETGID, + CAP_SETUID, + CAP_MKNOD, + CAP_SETFCAP); + capng_apply(CAPNG_SELECT_BOTH); + + cap.saved =3D capng_save_state(); + pthread_mutex_unlock(&cap.mutex); +} + /* * Lock down this process to prevent access to other processes or files ou= tside * source directory. This reduces the impact of arbitrary code execution = bugs. @@ -2705,6 +2742,7 @@ static void setup_sandbox(struct lo_data *lo, struct = fuse_session *se, setup_namespaces(lo, se); setup_mounts(lo->source); setup_seccomp(enable_syslog); + setup_capabilities(); } =20 /* Raise the maximum number of open file descriptors */ --=20 2.25.1 From nobody Thu Dec 18 19:27:05 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1587055955; cv=none; d=zohomail.com; s=zohoarc; b=BLNjit1aVSftjQt5209ZtvIbRZEeRCIRZFjkk1MmhdRQR7ntf8xRgzLRt9TemrztE9jpm2I5j/63L1+pkblgQ5jFVAZF36HB/nVtz11lVreuOuJ7KF2YAvdNoOoZaCIXpVc1GHAiCm+nTs6gMCrfNX4t7qIezbQ2Rn8/5BIkWJk= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1587055955; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=OfPb5Xn/B/myf3QvtDqfsuKstRVK4hF/CQiBtI98nAY=; b=Sj2p2Zh2abnpojrTZVyxPss/UOX9B7pWY3WxEwPK2/z0XxCCkp3vxaWLlIvZhl+ZGFtKbhPjeNdASE0bqCrAeQhG3tPPChygJ/LJ4vEtCB2l5eXi5djNbiTRumzpePv+tiLPTZ8c/gSW42aVsFbzBSW4KoN54txLVDI1TaRX97E= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail header.from= (p=none dis=none) header.from= Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1587055955242362.6213175596728; Thu, 16 Apr 2020 09:52:35 -0700 (PDT) Received: from localhost ([::1]:37142 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jP7kf-0001aI-GF for importer@patchew.org; Thu, 16 Apr 2020 12:52:33 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:32955) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jP7hm-0006r1-Pn for qemu-devel@nongnu.org; Thu, 16 Apr 2020 12:49:35 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1jP7hl-0000Pr-R4 for qemu-devel@nongnu.org; Thu, 16 Apr 2020 12:49:34 -0400 Received: from us-smtp-delivery-1.mimecast.com ([205.139.110.120]:30846 helo=us-smtp-1.mimecast.com) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1jP7hl-0000Pa-NE for qemu-devel@nongnu.org; Thu, 16 Apr 2020 12:49:33 -0400 Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-416-1r7NIdbSNDixjmlBnkk9qw-1; Thu, 16 Apr 2020 12:49:30 -0400 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id B2E58802683 for ; Thu, 16 Apr 2020 16:49:29 +0000 (UTC) Received: from localhost (ovpn-114-223.ams2.redhat.com [10.36.114.223]) by smtp.corp.redhat.com (Postfix) with ESMTP id EE0639A265; Thu, 16 Apr 2020 16:49:23 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1587055773; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=OfPb5Xn/B/myf3QvtDqfsuKstRVK4hF/CQiBtI98nAY=; b=ZEWZ38OMEwm9w1EFgdOXtsAr4NbTtdjLZ6O9SrxsTQwATjEXfV5RfKYUy4JDLVBvfcrw26 /IRHulMzxz4fV7s4198t8qIOGHSEq0y1Eo0AtlMmNYVseBqDPfoYA8wNia3FO1gfidA06k XgrQJlorRnZLIAKYjAVaTgSIuhINfMI= X-MC-Unique: 1r7NIdbSNDixjmlBnkk9qw-1 From: Stefan Hajnoczi To: qemu-devel@nongnu.org Subject: [PATCH 2/2] virtiofsd: drop all capabilities in the wait parent process Date: Thu, 16 Apr 2020 17:49:07 +0100 Message-Id: <20200416164907.244868-3-stefanha@redhat.com> In-Reply-To: <20200416164907.244868-1-stefanha@redhat.com> References: <20200416164907.244868-1-stefanha@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 205.139.110.120 X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: virtio-fs@redhat.com, Stefan Hajnoczi , "Dr. David Alan Gilbert" , Vivek Goyal Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: fail (Header signature does not verify) Content-Type: text/plain; charset="utf-8" All this process does is wait for its child. No capabilities are needed. Signed-off-by: Stefan Hajnoczi Reviewed-by: Philippe Mathieu-Daud=C3=A9 --- tools/virtiofsd/passthrough_ll.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough= _ll.c index af97ba1c41..0c3f33b074 100644 --- a/tools/virtiofsd/passthrough_ll.c +++ b/tools/virtiofsd/passthrough_ll.c @@ -2530,6 +2530,17 @@ static void print_capabilities(void) printf("}\n"); } =20 +/* + * Drop all Linux capabilities because the wait parent process only needs = to + * sit in waitpid(2) and terminate. + */ +static void setup_wait_parent_capabilities(void) +{ + capng_setpid(syscall(SYS_gettid)); + capng_clear(CAPNG_SELECT_BOTH); + capng_apply(CAPNG_SELECT_BOTH); +} + /* * Move to a new mount, net, and pid namespaces to isolate this process. */ @@ -2561,6 +2572,8 @@ static void setup_namespaces(struct lo_data *lo, stru= ct fuse_session *se) pid_t waited; int wstatus; =20 + setup_wait_parent_capabilities(); + /* The parent waits for the child */ do { waited =3D waitpid(child, &wstatus, 0); --=20 2.25.1