From: "Daniel P. Berrangé" <berrange@redhat.com>
To: Paolo Bonzini <pbonzini@redhat.com>
Cc: groug@kaod.org, qemu-devel@nongnu.org, dgilbert@redhat.com
Subject: Re: [PATCH] virtfs-proxy-helper: switch from libcap to libcap-ng
Date: Fri, 29 Nov 2019 14:55:10 +0000 [thread overview]
Message-ID: <20191129145510.GK2260471@redhat.com> (raw)
In-Reply-To: <20191129111632.22840-2-pbonzini@redhat.com>
On Fri, Nov 29, 2019 at 12:16:32PM +0100, Paolo Bonzini wrote:
> virtfs-proxy-helper is the only user of libcap; everyone else is using
> the simpler libcap-ng API. Switch and remove the configure code to
> detect libcap.
>
> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
> ---
> configure | 18 +------
> fsdev/virtfs-proxy-helper.c | 100 ++++++++++++++++--------------------
> 2 files changed, 46 insertions(+), 72 deletions(-)
The dockerfiles can also be updated to remove libcap-dev/devel
>
> diff --git a/configure b/configure
> index afe9393f04..2216662bf6 100755
> --- a/configure
> +++ b/configure
> @@ -3863,22 +3863,6 @@ else
> mpathpersist=no
> fi
>
> -##########################################
> -# libcap probe
> -
> -if test "$cap" != "no" ; then
> - cat > $TMPC <<EOF
> -#include <stdio.h>
> -#include <sys/capability.h>
> -int main(void) { cap_t caps; caps = cap_init(); return caps != NULL; }
> -EOF
> - if compile_prog "" "-lcap" ; then
> - cap=yes
> - else
> - cap=no
> - fi
> -fi
> -
> ##########################################
> # pthread probe
> PTHREADLIBS_LIST="-pthread -lpthread -lpthreadGC2"
> @@ -6204,7 +6188,7 @@ if test "$want_tools" = "yes" ; then
> fi
> if test "$softmmu" = yes ; then
> if test "$linux" = yes; then
> - if test "$virtfs" != no && test "$cap" = yes && test "$attr" = yes ; then
> + if test "$virtfs" != no && test "$cap_ng" = yes && test "$attr" = yes ; then
> virtfs=yes
> tools="$tools fsdev/virtfs-proxy-helper\$(EXESUF)"
> else
> diff --git a/fsdev/virtfs-proxy-helper.c b/fsdev/virtfs-proxy-helper.c
> index 6f132c5ff1..0d4de49dcf 100644
> --- a/fsdev/virtfs-proxy-helper.c
> +++ b/fsdev/virtfs-proxy-helper.c
> @@ -13,7 +13,6 @@
> #include <sys/resource.h>
> #include <getopt.h>
> #include <syslog.h>
> -#include <sys/capability.h>
> #include <sys/fsuid.h>
> #include <sys/vfs.h>
> #include <sys/ioctl.h>
> @@ -21,6 +20,7 @@
> #ifdef CONFIG_LINUX_MAGIC_H
> #include <linux/magic.h>
> #endif
> +#include <cap-ng.h>
> #include "qemu-common.h"
> #include "qemu/sockets.h"
> #include "qemu/xattr.h"
> @@ -79,49 +79,10 @@ static void do_perror(const char *string)
> }
> }
>
> -static int do_cap_set(cap_value_t *cap_value, int size, int reset)
> -{
> - cap_t caps;
> - if (reset) {
> - /*
> - * Start with an empty set and set permitted and effective
> - */
> - caps = cap_init();
> - if (caps == NULL) {
> - do_perror("cap_init");
> - return -1;
> - }
> - if (cap_set_flag(caps, CAP_PERMITTED, size, cap_value, CAP_SET) < 0) {
> - do_perror("cap_set_flag");
> - goto error;
> - }
> - } else {
> - caps = cap_get_proc();
> - if (!caps) {
> - do_perror("cap_get_proc");
> - return -1;
> - }
> - }
> - if (cap_set_flag(caps, CAP_EFFECTIVE, size, cap_value, CAP_SET) < 0) {
> - do_perror("cap_set_flag");
> - goto error;
> - }
> - if (cap_set_proc(caps) < 0) {
> - do_perror("cap_set_proc");
> - goto error;
> - }
> - cap_free(caps);
> - return 0;
> -
> -error:
> - cap_free(caps);
> - return -1;
> -}
> -
> static int init_capabilities(void)
> {
> /* helper needs following capabilities only */
> - cap_value_t cap_list[] = {
> + int cap_list[] = {
> CAP_CHOWN,
> CAP_DAC_OVERRIDE,
> CAP_FOWNER,
> @@ -130,7 +91,34 @@ static int init_capabilities(void)
> CAP_MKNOD,
> CAP_SETUID,
> };
> - return do_cap_set(cap_list, ARRAY_SIZE(cap_list), 1);
> + int i;
> +
> + capng_clear(CAPNG_SELECT_BOTH);
> + for (i = 0; i < ARRAY_SIZE(cap_list); i++) {
> + if (capng_update(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED,
> + cap_list[i]) < 0) {
> + do_perror("capng_update");
> + return -1;
> + }
> + }
> + if (capng_apply(CAPNG_SELECT_BOTH) < 0) {
> + do_perror("capng_apply");
> + return -1;
> + }
> +
> + /* Prepare effective set for setugid. */
> + for (i = 0; i < ARRAY_SIZE(cap_list); i++) {
> + if (cap_list[i] == CAP_DAC_OVERRIDE) {
> + continue;
> + }
> +
> + if (capng_update(CAPNG_DROP, CAPNG_EFFECTIVE,
> + cap_list[i]) < 0) {
> + do_perror("capng_update");
> + return -1;
> + }
> + }
> + return 0;
> }
>
> static int socket_read(int sockfd, void *buff, ssize_t size)
> @@ -295,14 +283,6 @@ static int setugid(int uid, int gid, int *suid, int *sgid)
> {
> int retval;
>
> - /*
> - * We still need DAC_OVERRIDE because we don't change
> - * supplementary group ids, and hence may be subjected DAC rules
> - */
> - cap_value_t cap_list[] = {
> - CAP_DAC_OVERRIDE,
> - };
> -
> *suid = geteuid();
> *sgid = getegid();
>
> @@ -316,11 +296,21 @@ static int setugid(int uid, int gid, int *suid, int *sgid)
> goto err_sgid;
> }
>
> - if (uid != 0 || gid != 0) {
> - if (do_cap_set(cap_list, ARRAY_SIZE(cap_list), 0) < 0) {
> - retval = -errno;
> - goto err_suid;
> - }
> + if (uid == 0 && gid == 0) {
> + /* Linux has already copied the permitted set to the effective set. */
> + return 0;
> + }
> +
> + /*
> + * All capabilities have been cleared from the effective set. However
> + * we still need DAC_OVERRIDE because we don't change supplementary
> + * group ids, and hence may be subject to DAC rules. init_capabilities
> + * left the set of capabilities that we want in libcap-ng's state.
> + */
> + if (capng_apply(CAPNG_SELECT_CAPS) < 0) {
> + retval = -errno;
> + do_perror("capng_apply");
> + goto err_suid;
> }
> return 0;
>
> --
> 2.21.0
>
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
prev parent reply other threads:[~2019-11-29 16:05 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-11-29 11:16 [PATCH] virtfs-proxy-helper: switch from libcap to libcap-ng Paolo Bonzini
2019-11-29 12:09 ` Daniel P. Berrangé
2019-11-29 12:32 ` Greg Kurz
2019-11-29 12:49 ` Paolo Bonzini
2019-11-29 12:59 ` Greg Kurz
2019-12-03 10:34 ` Greg Kurz
2019-12-03 11:51 ` Paolo Bonzini
2019-11-29 14:55 ` Daniel P. Berrangé [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191129145510.GK2260471@redhat.com \
--to=berrange@redhat.com \
--cc=dgilbert@redhat.com \
--cc=groug@kaod.org \
--cc=pbonzini@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).