Blame SOURCES/kvm-virtiofsd-only-retain-file-system-capabilities.patch

77c23f
From 8727e4904e7a6588e39f231d837f4527f265e47e Mon Sep 17 00:00:00 2001
77c23f
From: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
77c23f
Date: Tue, 5 May 2020 16:35:59 +0100
77c23f
Subject: [PATCH 8/9] virtiofsd: only retain file system capabilities
77c23f
77c23f
RH-Author: Dr. David Alan Gilbert <dgilbert@redhat.com>
77c23f
Message-id: <20200505163600.22956-7-dgilbert@redhat.com>
77c23f
Patchwork-id: 96272
77c23f
O-Subject: [RHEL-AV-8.2.1 qemu-kvm PATCH 6/7] virtiofsd: only retain file system capabilities
77c23f
Bugzilla: 1817445
77c23f
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
77c23f
RH-Acked-by: Max Reitz <mreitz@redhat.com>
77c23f
RH-Acked-by: Michael S. Tsirkin <mst@redhat.com>
77c23f
77c23f
From: Stefan Hajnoczi <stefanha@redhat.com>
77c23f
77c23f
virtiofsd runs as root but only needs a subset of root's Linux
77c23f
capabilities(7).  As a file server its purpose is to create and access
77c23f
files on behalf of a client.  It needs to be able to access files with
77c23f
arbitrary uid/gid owners.  It also needs to be create device nodes.
77c23f
77c23f
Introduce a Linux capabilities(7) whitelist and drop all capabilities
77c23f
that we don't need, making the virtiofsd process less powerful than a
77c23f
regular uid root process.
77c23f
77c23f
  # cat /proc/PID/status
77c23f
  ...
77c23f
          Before           After
77c23f
  CapInh: 0000000000000000 0000000000000000
77c23f
  CapPrm: 0000003fffffffff 00000000880000df
77c23f
  CapEff: 0000003fffffffff 00000000880000df
77c23f
  CapBnd: 0000003fffffffff 0000000000000000
77c23f
  CapAmb: 0000000000000000 0000000000000000
77c23f
77c23f
Note that file capabilities cannot be used to achieve the same effect on
77c23f
the virtiofsd executable because mount is used during sandbox setup.
77c23f
Therefore we drop capabilities programmatically at the right point
77c23f
during startup.
77c23f
77c23f
This patch only affects the sandboxed child process.  The parent process
77c23f
that sits in waitpid(2) still has full root capabilities and will be
77c23f
addressed in the next patch.
77c23f
77c23f
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
77c23f
Message-Id: <20200416164907.244868-2-stefanha@redhat.com>
77c23f
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
77c23f
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
77c23f
(cherry picked from commit a59feb483b8fae24d043569ccfcc97ea23d54a02)
77c23f
Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
77c23f
---
77c23f
 tools/virtiofsd/passthrough_ll.c | 38 ++++++++++++++++++++++++++++++++++++++
77c23f
 1 file changed, 38 insertions(+)
77c23f
77c23f
diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough_ll.c
77c23f
index 614ba55..6358874 100644
77c23f
--- a/tools/virtiofsd/passthrough_ll.c
77c23f
+++ b/tools/virtiofsd/passthrough_ll.c
77c23f
@@ -2723,6 +2723,43 @@ static void setup_mounts(const char *source)
77c23f
 }
77c23f
 
77c23f
 /*
77c23f
+ * Only keep whitelisted capabilities that are needed for file system operation
77c23f
+ */
77c23f
+static void setup_capabilities(void)
77c23f
+{
77c23f
+    pthread_mutex_lock(&cap.mutex);
77c23f
+    capng_restore_state(&cap.saved);
77c23f
+
77c23f
+    /*
77c23f
+     * Whitelist file system-related capabilities that are needed for a file
77c23f
+     * server to act like root.  Drop everything else like networking and
77c23f
+     * sysadmin capabilities.
77c23f
+     *
77c23f
+     * Exclusions:
77c23f
+     * 1. CAP_LINUX_IMMUTABLE is not included because it's only used via ioctl
77c23f
+     *    and we don't support that.
77c23f
+     * 2. CAP_MAC_OVERRIDE is not included because it only seems to be
77c23f
+     *    used by the Smack LSM.  Omit it until there is demand for it.
77c23f
+     */
77c23f
+    capng_setpid(syscall(SYS_gettid));
77c23f
+    capng_clear(CAPNG_SELECT_BOTH);
77c23f
+    capng_updatev(CAPNG_ADD, CAPNG_PERMITTED | CAPNG_EFFECTIVE,
77c23f
+            CAP_CHOWN,
77c23f
+            CAP_DAC_OVERRIDE,
77c23f
+            CAP_DAC_READ_SEARCH,
77c23f
+            CAP_FOWNER,
77c23f
+            CAP_FSETID,
77c23f
+            CAP_SETGID,
77c23f
+            CAP_SETUID,
77c23f
+            CAP_MKNOD,
77c23f
+            CAP_SETFCAP);
77c23f
+    capng_apply(CAPNG_SELECT_BOTH);
77c23f
+
77c23f
+    cap.saved = capng_save_state();
77c23f
+    pthread_mutex_unlock(&cap.mutex);
77c23f
+}
77c23f
+
77c23f
+/*
77c23f
  * Lock down this process to prevent access to other processes or files outside
77c23f
  * source directory.  This reduces the impact of arbitrary code execution bugs.
77c23f
  */
77c23f
@@ -2732,6 +2769,7 @@ static void setup_sandbox(struct lo_data *lo, struct fuse_session *se,
77c23f
     setup_namespaces(lo, se);
77c23f
     setup_mounts(lo->source);
77c23f
     setup_seccomp(enable_syslog);
77c23f
+    setup_capabilities();
77c23f
 }
77c23f
 
77c23f
 /* Set the maximum number of open file descriptors */
77c23f
-- 
77c23f
1.8.3.1
77c23f