From: "Daniel P. Berrange" <berrange@redhat.com>
To: Richa Marwaha <rmarwah@linux.vnet.ibm.com>
Cc: aliguori@us.ibm.com, coreyb@linux.vnet.ibm.com, qemu-devel@nongnu.org
Subject: Re: [Qemu-devel] [PATCH 3/4] Add cap reduction support to enable use as SUID
Date: Thu, 6 Oct 2011 17:34:55 +0100 [thread overview]
Message-ID: <20111006163455.GE2450@redhat.com> (raw)
In-Reply-To: <1317915508-15491-4-git-send-email-rmarwah@linux.vnet.ibm.com>
On Thu, Oct 06, 2011 at 11:38:27AM -0400, Richa Marwaha wrote:
> The ideal way to use qemu-bridge-helper is to give it an fscap of using:
>
> setcap cap_net_admin=ep qemu-bridge-helper
>
> Unfortunately, most distros still do not have a mechanism to package files
> with fscaps applied. This means they'll have to SUID the qemu-bridge-helper
> binary.
>
> To improve security, use libcap to reduce our capability set to just
> cap_net_admin, then reduce privileges down to the calling user. This is
> hopefully close to equivalent to fscap support from a security perspective.
> +#ifdef CONFIG_LIBCAP
> +static int drop_privileges(void)
> +{
> + cap_t cap;
> + cap_value_t new_caps[] = {CAP_NET_ADMIN};
> +
> + cap = cap_init();
Check for NULL ?
> +
> + /* set capabilities to be permitted and inheritable. we don't need the
> + * caps to be effective right now as they'll get reset when we seteuid
> + * anyway */
> + cap_set_flag(cap, CAP_PERMITTED, 1, new_caps, CAP_SET);
> + cap_set_flag(cap, CAP_INHERITABLE, 1, new_caps, CAP_SET);
Check for failure ?
> +
> + if (cap_set_proc(cap) == -1) {
> + return -1;
> + }
> +
> + cap_free(cap);
Check for failure ?
> +
> + /* reduce our privileges to a normal user */
> + setegid(getgid());
> + seteuid(getuid());
Check for failure ?
> + cap = cap_init();
Check for NULL ?
> +
> + /* enable the our capabilities. we marked them as inheritable earlier
> + * which is what allows this to work. */
> + cap_set_flag(cap, CAP_EFFECTIVE, 1, new_caps, CAP_SET);
> + cap_set_flag(cap, CAP_PERMITTED, 1, new_caps, CAP_SET);
Check for failure ?
> +
> + if (cap_set_proc(cap) == -1) {
> + return -1;
> + }
> +
> + cap_free(cap);
Check for failure ?
> +
> + return 0;
> +}
> +#endif
It may seem like checking for failure on cap_free/cap_set_flag is
not required because they can only return EINVAL for invalid
args, but since this is missing the check for NULL on cap_init
you can actually see errors from those latter functions in an
OOM cenario.
I think I'd suggest not using libcap, instead try libcap-ng [1] whose
APIs are designed with safety in mind & result in much simpler and
clearer code:
eg, that entire function above can be expressed using capng with
something approximating:
capng_clear(CAPNG_SELECT_BOTH);
if (capng_update(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED, CAP_NET_ADMIN) < 0)
error(...);
if (capng_change_id(getuid(), getgid(), CAPNG_DROP_SUPP_GRP | CAPNG_CLEAR_BOUNDING))
error(...);
Regards,
Daniel
[1] http://people.redhat.com/sgrubb/libcap-ng/
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
next prev parent reply other threads:[~2011-10-06 17:30 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-10-06 15:38 [Qemu-devel] [PATCH 0/4] -net tap: rootless bridge support for qemu Richa Marwaha
2011-10-06 15:38 ` [Qemu-devel] [PATCH 1/4] Add basic version of bridge helper Richa Marwaha
2011-10-06 16:41 ` Daniel P. Berrange
2011-10-06 18:04 ` Anthony Liguori
2011-10-06 18:38 ` Corey Bryant
2011-10-07 9:04 ` Daniel P. Berrange
2011-10-07 14:40 ` Corey Bryant
2011-10-07 14:45 ` Daniel P. Berrange
2011-10-07 14:51 ` Corey Bryant
2011-10-07 14:52 ` Corey Bryant
2011-10-06 17:44 ` Anthony Liguori
2011-10-06 18:10 ` Corey Bryant
2011-10-06 15:38 ` [Qemu-devel] [PATCH 2/4] Add access control support to qemu-bridge-helper Richa Marwaha
2011-10-06 15:38 ` [Qemu-devel] [PATCH 3/4] Add cap reduction support to enable use as SUID Richa Marwaha
2011-10-06 16:34 ` Daniel P. Berrange [this message]
2011-10-06 17:42 ` Anthony Liguori
2011-10-06 18:05 ` Corey Bryant
2011-10-06 18:08 ` Corey Bryant
2011-10-06 15:38 ` [Qemu-devel] [PATCH 4/4] Add support for bridge Richa Marwaha
2011-10-06 17:49 ` Anthony Liguori
2011-10-06 18:15 ` Corey Bryant
2011-10-06 18:19 ` Anthony Liguori
2011-10-06 18:24 ` Corey Bryant
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20111006163455.GE2450@redhat.com \
--to=berrange@redhat.com \
--cc=aliguori@us.ibm.com \
--cc=coreyb@linux.vnet.ibm.com \
--cc=qemu-devel@nongnu.org \
--cc=rmarwah@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.