[PATCH] main: refuse to run under file capabilities

[PATCH] main: refuse to run under file capabilities

[Alan Ross]

Extend the existing setuid guard in main() to also detect
file capabilities via getauxval(AT_SECURE).

Some container runtimes and minimal distributions grant cap_net_admin
via file capabilities (setcap cap_net_admin+ep /usr/sbin/nft)
rather than running through sudo.  In that configuration the kernel
sets AT_SECURE and the dynamic linker strips LD_PRELOAD, but
getuid() == geteuid() so the existing setuid check passes.

CAP_NET_ADMIN is quite powerful; even without dlopen(), we should not
sanction setcap-installations — a control flow bug could still be
exploited as the capability-elevated user.

getauxval(AT_SECURE) is nonzero whenever the kernel has set AT_SECURE
in the auxiliary vector — this covers both classic setuid/setgid and
file capabilities.  Exit with status 111, matching the existing
setuid behavior.

Signed-off-by: Alan Ross <alan@sleuthco.ai>
---
 src/main.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/main.c b/src/main.c
index 29b0533..af49bec 100644
--- a/src/main.c
+++ b/src/main.c
@@ -17,6 +17,7 @@
 #include <getopt.h>
 #include <fcntl.h>
 #include <sys/types.h>
+#include <sys/auxv.h>
 
 #include <nftables/libnftables.h>
 #include <utils.h>
@@ -371,8 +372,8 @@ int main(int argc, char * const *argv)
 	char *filename = NULL;
 	unsigned int len;
 
-	/* nftables cannot be used with setuid in a safe way. */
-	if (getuid() != geteuid())
+	/* nftables cannot be used with setuid/setcap in a safe way. */
+	if (getuid() != geteuid() || getauxval(AT_SECURE))
 		_exit(111);
 
 	if (!nft_options_check(argc, argv))
-- 
2.43.0

Re: [PATCH] main: refuse to run under file capabilities

[Florian Westphal]

Alan Ross <alan@sleuthco.ai> wrote:
> Extend the existing setuid guard in main() to also detect
> file capabilities via getauxval(AT_SECURE).

Applied, thanks!