On 29.03.2022 21:29, Timo Rothenpieler wrote:
+static bool
+do_keep_caps(bool prepare)
+{
+ struct __user_cap_header_struct cap_hdr = { _LINUX_CAPABILITY_VERSION_3 };
+ struct __user_cap_data_struct cap_data[_LINUX_CAPABILITY_U32S_3] = {};
+
+ if (syscall(SYS_capget, &cap_hdr, cap_data) < 0)
+ {
+ msg(M_NONFATAL | M_ERRNO, "failed getting capabilities");
+ return false;
+ }
+
+ if (prepare)
+ {
+ SET_CAP_HELPER(cap_data, permitted, CAP_NET_ADMIN);
+ }
+ else
+ {
+ SET_CAP_HELPER(cap_data, effective, CAP_NET_ADMIN);
This is missing something like the following:
/* Clamp permitted capabilities to effective ones.
* Without doing this, the process can give itself root-like caps at
any time. */
for (int i = 0; i < sizeof(cap_data)/sizeof(cap_data[0]); i++)
{
cap_data[i].permitted = cap_data[i].effective;
}
Without that, the permitted caps stay the full set of root caps, and the
process can make them effective at any time.
Patch on GitHub is updated with that.
+ }
+
+ if (syscall(SYS_capset, &cap_hdr, cap_data) < 0)
+ {
+ msg(M_NONFATAL | M_ERRNO, "failed setting %s capabilities", prepare ?
"permitted" : "effective");
+ return false;
+ }
+
+ if (prepare && prctl(PR_SET_KEEPCAPS, 1) < 0)
+ {
+ msg(M_NONFATAL | M_ERRNO, "failed setting keepcaps");
+ return false;
+ }
+
+ return true;
+}
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
