On Wed, Mar 27, 2013 at 04:36:38PM -0600, Eric Blake wrote:
> On 03/25/2013 08:25 AM, Paolo Bonzini wrote:
> > The need_prctl variable is not really needed.  If it is false,
> > capng_apply will be called twice with the same set, causing
> > a little extra work but no problem.  This keeps the code a bit
> > simpler.
> > 
> > It is also clearer to invoke capng_apply(CAPNG_SELECT_BOUNDS)
> > separately, to make sure it is done while we have CAP_SETPCAP.
> > 
> > Signed-off-by: Paolo Bonzini <pbonz...@redhat.com>
> > ---
> >  src/util/virutil.c | 18 +++++++++++-------
> >  1 file changed, 11 insertions(+), 7 deletions(-)
> 
> >      /* Change to the temp capabilities */
> > -    if ((capng_ret = capng_apply(CAPNG_SELECT_BOTH)) < 0) {
> > +    if ((capng_ret = capng_apply(CAPNG_SELECT_CAPS)) < 0) {
> 
> Beforehand, we limited both caps and bounding set, with an overlarge
> set, now you are limiting just caps...
> 
> >          virReportError(VIR_ERR_INTERNAL_ERROR,
> >                         _("cannot apply process capabilities %d"), 
> > capng_ret);
> >          goto cleanup;
> > @@ -3063,12 +3061,18 @@ virSetUIDGIDWithCaps(uid_t uid, gid_t gid, unsigned 
> > long long capBits,
> >          goto cleanup;
> >  
> >      /* Tell it we are done keeping capabilities */
> > -    if (need_prctl && prctl(PR_SET_KEEPCAPS, 0, 0, 0, 0)) {
> > +    if (prctl(PR_SET_KEEPCAPS, 0, 0, 0, 0)) {
> >          virReportSystemError(errno, "%s",
> >                               _("prctl failed to reset KEEPCAPS"));
> >          goto cleanup;
> >      }
> >  
> > +    /* Set bounding set while we have CAP_SETPCAP.  Unfortunately we cannot
> > +     * do this if we failed to get the capability above, so ignore the
> > +     * return value.
> > +     */
> > +    capng_apply(CAPNG_SELECT_BOUNDS);
> 
> ...and then separately limiting bounds, but still while having an
> overlarge set.
> 
> > +
> >      /* Drop the caps that allow setuid/gid (unless they were requested) */
> >      if (need_setgid)
> >          capng_update(CAPNG_DROP, CAPNG_EFFECTIVE|CAPNG_PERMITTED, 
> > CAP_SETGID);
> > @@ -3078,7 +3082,7 @@ virSetUIDGIDWithCaps(uid_t uid, gid_t gid, unsigned 
> > long long capBits,
> >      if (need_setpcap)
> >          capng_update(CAPNG_DROP, CAPNG_EFFECTIVE|CAPNG_PERMITTED, 
> > CAP_SETPCAP);
> 
> Here, the set is now pruned to size...
> 
> >  
> > -    if (need_prctl && ((capng_ret = capng_apply(CAPNG_SELECT_BOTH)) < 0)) {
> > +    if (((capng_ret = capng_apply(CAPNG_SELECT_CAPS)) < 0)) {
> 
> ...but you are now only limiting caps, not the bounding set.  Is that
> correct?

This method is derived from code in libcap-ng capng_change_id. Paulo's
changes actually make the libvirt code closer to what capng_change_id
does, so I think it is OK.

> Does this need to be considered for 1.0.4, or can we delay it to
> post-release?

I think we can wait for this whole series - it is really feature
work rather than critical bugfix.

Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Reply via email to