[libvirt] [PATCH 2/5] util: allow using virCommandAllowCap with setuid helpers

Eric Blake eblake at redhat.com
Wed Mar 27 22:46:28 UTC 2013 

On 03/25/2013 08:25 AM, Paolo Bonzini wrote:
> When running unprivileged, virSetUIDGIDWithCaps will fail because it
> tries to add the requested capabilities to the permitted and effective
> sets.
> 
> Detect this case, and invoke the child with cleared permitted and
> effective sets.  If it is a setuid program, it will get them.
> 
> Some care is needed also because you cannot drop capabilities from the
> bounding set without CAP_SETPCAP.  Because of that, ignore errors from
> setting the bounding set.

That seems like a kernel flaw - it makes sense that you can't _add_
capabilities without CAP_SETPCAP, but being unable to _drop_
capabilities without first acquiring a capability seems backwards.  I
wonder if lkml would accept a patch that makes CAP_SETPCAP unnecessary
for the restriction case, and only require it for the case of gaining
capabilities.  But regardless of that thought experiment, I agree that
the behavior is what it is in released kernels, so we must deal with it.

> 
> Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
> ---
>  src/util/virutil.c | 18 +++++++++++++++---
>  1 file changed, 15 insertions(+), 3 deletions(-)
> 
> diff --git a/src/util/virutil.c b/src/util/virutil.c
> index 36e6cee..8104e89 100644
> --- a/src/util/virutil.c
> +++ b/src/util/virutil.c
> @@ -3052,9 +3052,21 @@ virSetUIDGIDWithCaps(uid_t uid, gid_t gid, unsigned long long capBits,
>  
>      /* Change to the temp capabilities */
>      if ((capng_ret = capng_apply(CAPNG_SELECT_CAPS)) < 0) {
> -        virReportError(VIR_ERR_INTERNAL_ERROR,
> -                       _("cannot apply process capabilities %d"), capng_ret);
> -        goto cleanup;
> +        /* Failed.  If we are running unprivileged, and the arguments make sense
> +         * for this scenario, assume we're starting some kind of setuid helper:
> +         * do not set any of capBits in the permitted or effective sets, and let
> +         * the program get them on its own.
> +         *
> +         * (Too bad we cannot restrict the bounding set to the capabilities we
> +         * would like the helper to have!).
> +         */
> +        if (getuid() > 0 && clearExistingCaps && !need_setuid && !need_setgid) {
> +            capng_clear(CAPNG_SELECT_CAPS);
> +        } else {
> +            virReportError(VIR_ERR_INTERNAL_ERROR,
> +                           _("cannot apply process capabilities %d"), capng_ret);
> +            goto cleanup;
> +        }

Hmm, this seems like we may want it for 1.0.4, but I still had questions
on 1/5 which needs to be applied first.

As written, the patch makes sense.

-- 
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 621 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20130327/7f9c4b9d/attachment-0001.sig>

More information about the libvir-list mailing list