thebeanogamer / rpms / qemu-kvm

Forked from rpms/qemu-kvm 5 months ago
Clone

Blame SOURCES/kvm-virtiofsd-only-retain-file-system-capabilities.patch

ddf19c
From 8727e4904e7a6588e39f231d837f4527f265e47e Mon Sep 17 00:00:00 2001
ddf19c
From: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
ddf19c
Date: Tue, 5 May 2020 16:35:59 +0100
ddf19c
Subject: [PATCH 8/9] virtiofsd: only retain file system capabilities
ddf19c
ddf19c
RH-Author: Dr. David Alan Gilbert <dgilbert@redhat.com>
ddf19c
Message-id: <20200505163600.22956-7-dgilbert@redhat.com>
ddf19c
Patchwork-id: 96272
ddf19c
O-Subject: [RHEL-AV-8.2.1 qemu-kvm PATCH 6/7] virtiofsd: only retain file system capabilities
ddf19c
Bugzilla: 1817445
ddf19c
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
ddf19c
RH-Acked-by: Max Reitz <mreitz@redhat.com>
ddf19c
RH-Acked-by: Michael S. Tsirkin <mst@redhat.com>
ddf19c
ddf19c
From: Stefan Hajnoczi <stefanha@redhat.com>
ddf19c
ddf19c
virtiofsd runs as root but only needs a subset of root's Linux
ddf19c
capabilities(7).  As a file server its purpose is to create and access
ddf19c
files on behalf of a client.  It needs to be able to access files with
ddf19c
arbitrary uid/gid owners.  It also needs to be create device nodes.
ddf19c
ddf19c
Introduce a Linux capabilities(7) whitelist and drop all capabilities
ddf19c
that we don't need, making the virtiofsd process less powerful than a
ddf19c
regular uid root process.
ddf19c
ddf19c
  # cat /proc/PID/status
ddf19c
  ...
ddf19c
          Before           After
ddf19c
  CapInh: 0000000000000000 0000000000000000
ddf19c
  CapPrm: 0000003fffffffff 00000000880000df
ddf19c
  CapEff: 0000003fffffffff 00000000880000df
ddf19c
  CapBnd: 0000003fffffffff 0000000000000000
ddf19c
  CapAmb: 0000000000000000 0000000000000000
ddf19c
ddf19c
Note that file capabilities cannot be used to achieve the same effect on
ddf19c
the virtiofsd executable because mount is used during sandbox setup.
ddf19c
Therefore we drop capabilities programmatically at the right point
ddf19c
during startup.
ddf19c
ddf19c
This patch only affects the sandboxed child process.  The parent process
ddf19c
that sits in waitpid(2) still has full root capabilities and will be
ddf19c
addressed in the next patch.
ddf19c
ddf19c
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
ddf19c
Message-Id: <20200416164907.244868-2-stefanha@redhat.com>
ddf19c
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
ddf19c
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
ddf19c
(cherry picked from commit a59feb483b8fae24d043569ccfcc97ea23d54a02)
ddf19c
Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
ddf19c
---
ddf19c
 tools/virtiofsd/passthrough_ll.c | 38 ++++++++++++++++++++++++++++++++++++++
ddf19c
 1 file changed, 38 insertions(+)
ddf19c
ddf19c
diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough_ll.c
ddf19c
index 614ba55..6358874 100644
ddf19c
--- a/tools/virtiofsd/passthrough_ll.c
ddf19c
+++ b/tools/virtiofsd/passthrough_ll.c
ddf19c
@@ -2723,6 +2723,43 @@ static void setup_mounts(const char *source)
ddf19c
 }
ddf19c
 
ddf19c
 /*
ddf19c
+ * Only keep whitelisted capabilities that are needed for file system operation
ddf19c
+ */
ddf19c
+static void setup_capabilities(void)
ddf19c
+{
ddf19c
+    pthread_mutex_lock(&cap.mutex);
ddf19c
+    capng_restore_state(&cap.saved);
ddf19c
+
ddf19c
+    /*
ddf19c
+     * Whitelist file system-related capabilities that are needed for a file
ddf19c
+     * server to act like root.  Drop everything else like networking and
ddf19c
+     * sysadmin capabilities.
ddf19c
+     *
ddf19c
+     * Exclusions:
ddf19c
+     * 1. CAP_LINUX_IMMUTABLE is not included because it's only used via ioctl
ddf19c
+     *    and we don't support that.
ddf19c
+     * 2. CAP_MAC_OVERRIDE is not included because it only seems to be
ddf19c
+     *    used by the Smack LSM.  Omit it until there is demand for it.
ddf19c
+     */
ddf19c
+    capng_setpid(syscall(SYS_gettid));
ddf19c
+    capng_clear(CAPNG_SELECT_BOTH);
ddf19c
+    capng_updatev(CAPNG_ADD, CAPNG_PERMITTED | CAPNG_EFFECTIVE,
ddf19c
+            CAP_CHOWN,
ddf19c
+            CAP_DAC_OVERRIDE,
ddf19c
+            CAP_DAC_READ_SEARCH,
ddf19c
+            CAP_FOWNER,
ddf19c
+            CAP_FSETID,
ddf19c
+            CAP_SETGID,
ddf19c
+            CAP_SETUID,
ddf19c
+            CAP_MKNOD,
ddf19c
+            CAP_SETFCAP);
ddf19c
+    capng_apply(CAPNG_SELECT_BOTH);
ddf19c
+
ddf19c
+    cap.saved = capng_save_state();
ddf19c
+    pthread_mutex_unlock(&cap.mutex);
ddf19c
+}
ddf19c
+
ddf19c
+/*
ddf19c
  * Lock down this process to prevent access to other processes or files outside
ddf19c
  * source directory.  This reduces the impact of arbitrary code execution bugs.
ddf19c
  */
ddf19c
@@ -2732,6 +2769,7 @@ static void setup_sandbox(struct lo_data *lo, struct fuse_session *se,
ddf19c
     setup_namespaces(lo, se);
ddf19c
     setup_mounts(lo->source);
ddf19c
     setup_seccomp(enable_syslog);
ddf19c
+    setup_capabilities();
ddf19c
 }
ddf19c
 
ddf19c
 /* Set the maximum number of open file descriptors */
ddf19c
-- 
ddf19c
1.8.3.1
ddf19c