Re: [libvirt] [RFC][PATCH] lxc: drop CAP_SYS_BOOT capability to preventrebooting from inside containers
On Fri, May 08, 2009 at 12:43:19PM +0900, Ryota Ozaki wrote: Hi Serge, On Fri, May 8, 2009 at 11:04 AM, Serge E. Hallyn se...@us.ibm.com wrote: Quoting Ryota Ozaki (ozaki.ry...@gmail.com): Hi Serge, On Fri, May 8, 2009 at 9:12 AM, Serge E. Hallyn se...@us.ibm.com wrote: Quoting Ryota Ozaki (ozaki.ry...@gmail.com): Hi, ... + for (i = 0 ; i ARRAY_CARDINALITY(caps) ; i++) { + if (prctl(PR_CAPBSET_DROP, caps[i].id, 0, 0, 0)) { + lxcError(NULL, NULL, VIR_ERR_INTERNAL_ERROR, + %s, _(failed to drop %s), caps[i].name); + return -1; Ideally you should also drop it from pI. If not drop it, a user in a container could set CAP_SYS_BOOT fI bit of /bin/reboot on and then the user could gain CAP_SYS_BOOT back through the fI. Is this understanding right? Yup. Of course most tasks run with pI empty, so it seems unlikely that it would be a problem, but unless the libcap dependecy becomes a problem, it seems worth making sure that doesn't happen. Oh, I slightly misread your suggestions, sorry. You are suggesting making sure requires dropping a capability in both bounding set AND pI of a process and to do so we need an additional package (libcap2 or somewhat) because prctl(2) doesn't have the function to drop pI, aren't you? um, I hope my patch is sufficient as a first step, but ok, I'll try to implement the function to drop pI as well and confirm whether it is feasible for libvirt. The patch I have just posted should take care of this issue with pI http://www.redhat.com/archives/libvir-list/2009-June/msg00413.html Regards, Daniel -- |: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :| |: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :| -- Libvir-list mailing list Libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [RFC][PATCH] lxc: drop CAP_SYS_BOOT capability to preventrebooting from inside containers
Quoting Ryota Ozaki (ozaki.ry...@gmail.com): Hi, Current lxc driver unexpectedly allows users inside containers to reboot host physical machine. This patch prevents this by dropping CAP_SYS_BOOT capability in the bounding set of the init processes in every containers. Note that the patch intends to make it easy to add further capabilities to drop if needed, although I'm not sure which capabilities should be dropped. (We might need to drop CAP_SETFCAP as well to be strict...) Thanks, ozaki-r Signed-off-by: Ryota Ozaki ozaki.ry...@gmail.com From 0e7a7622bc6411bbe76c05c63c6e6e61d379d97b Mon Sep 17 00:00:00 2001 From: Ryota Ozaki ozaki.ry...@gmail.com Date: Fri, 8 May 2009 04:29:24 +0900 Subject: [PATCH] lxc: drop CAP_SYS_BOOT capability to prevent rebooting from inside containers Current lxc driver unexpectedly allows users inside containers to reboot host physical machine. This patch prevents this by dropping CAP_SYS_BOOT capability in the bounding set of the init processes in every containers. --- src/lxc_container.c | 30 ++ 1 files changed, 30 insertions(+), 0 deletions(-) diff --git a/src/lxc_container.c b/src/lxc_container.c index 3946b84..37ab216 100644 --- a/src/lxc_container.c +++ b/src/lxc_container.c @@ -32,6 +32,8 @@ #include sys/ioctl.h #include sys/mount.h #include sys/wait.h +#include sys/prctl.h +#include sys/capability.h #include unistd.h #include mntent.h @@ -639,6 +641,30 @@ static int lxcContainerSetupMounts(virDomainDefPtr vmDef, return lxcContainerSetupExtraMounts(vmDef); } + +static int lxcContainerDropCapabilities( virDomainDefPtr vmDef ) +{ +int i; +const struct { +int id; +const char *name; +} caps[] = { +#define ID_STRING(name) name, #name +{ ID_STRING(CAP_SYS_BOOT) }, +}; + +for (i = 0 ; i ARRAY_CARDINALITY(caps) ; i++) { +if (prctl(PR_CAPBSET_DROP, caps[i].id, 0, 0, 0)) { +lxcError(NULL, NULL, VIR_ERR_INTERNAL_ERROR, + %s, _(failed to drop %s), caps[i].name); +return -1; Ideally you should also drop it from pI. +} +} + +return 0; +} + + /** * lxcChild: * @argv: Pointer to container arguments @@ -705,6 +731,10 @@ static int lxcContainerChild( void *data ) if (lxcContainerEnableInterfaces(argv-nveths, argv-veths) 0) return -1; +/* drop a set of root capabilities */ +if (lxcContainerDropCapabilities(vmDef) 0) +return -1; + /* this function will only return if an error occured */ return lxcContainerExecInit(vmDef); } -- 1.6.0.6 -- Libvir-list mailing list Libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list -- Libvir-list mailing list Libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [RFC][PATCH] lxc: drop CAP_SYS_BOOT capability to preventrebooting from inside containers
Hi Serge, On Fri, May 8, 2009 at 9:12 AM, Serge E. Hallyn se...@us.ibm.com wrote: Quoting Ryota Ozaki (ozaki.ry...@gmail.com): Hi, Current lxc driver unexpectedly allows users inside containers to reboot host physical machine. This patch prevents this by dropping CAP_SYS_BOOT capability in the bounding set of the init processes in every containers. Note that the patch intends to make it easy to add further capabilities to drop if needed, although I'm not sure which capabilities should be dropped. (We might need to drop CAP_SETFCAP as well to be strict...) Thanks, ozaki-r Signed-off-by: Ryota Ozaki ozaki.ry...@gmail.com From 0e7a7622bc6411bbe76c05c63c6e6e61d379d97b Mon Sep 17 00:00:00 2001 From: Ryota Ozaki ozaki.ry...@gmail.com Date: Fri, 8 May 2009 04:29:24 +0900 Subject: [PATCH] lxc: drop CAP_SYS_BOOT capability to prevent rebooting from inside containers Current lxc driver unexpectedly allows users inside containers to reboot host physical machine. This patch prevents this by dropping CAP_SYS_BOOT capability in the bounding set of the init processes in every containers. --- src/lxc_container.c | 30 ++ 1 files changed, 30 insertions(+), 0 deletions(-) diff --git a/src/lxc_container.c b/src/lxc_container.c index 3946b84..37ab216 100644 --- a/src/lxc_container.c +++ b/src/lxc_container.c @@ -32,6 +32,8 @@ #include sys/ioctl.h #include sys/mount.h #include sys/wait.h +#include sys/prctl.h +#include sys/capability.h #include unistd.h #include mntent.h @@ -639,6 +641,30 @@ static int lxcContainerSetupMounts(virDomainDefPtr vmDef, return lxcContainerSetupExtraMounts(vmDef); } + +static int lxcContainerDropCapabilities( virDomainDefPtr vmDef ) +{ + int i; + const struct { + int id; + const char *name; + } caps[] = { +#define ID_STRING(name) name, #name + { ID_STRING(CAP_SYS_BOOT) }, + }; + + for (i = 0 ; i ARRAY_CARDINALITY(caps) ; i++) { + if (prctl(PR_CAPBSET_DROP, caps[i].id, 0, 0, 0)) { + lxcError(NULL, NULL, VIR_ERR_INTERNAL_ERROR, + %s, _(failed to drop %s), caps[i].name); + return -1; Ideally you should also drop it from pI. If not drop it, a user in a container could set CAP_SYS_BOOT fI bit of /bin/reboot on and then the user could gain CAP_SYS_BOOT back through the fI. Is this understanding right? Thanks, ozaki-r + } + } + + return 0; +} + + /** * lxcChild: * @argv: Pointer to container arguments @@ -705,6 +731,10 @@ static int lxcContainerChild( void *data ) if (lxcContainerEnableInterfaces(argv-nveths, argv-veths) 0) return -1; + /* drop a set of root capabilities */ + if (lxcContainerDropCapabilities(vmDef) 0) + return -1; + /* this function will only return if an error occured */ return lxcContainerExecInit(vmDef); } -- 1.6.0.6 -- Libvir-list mailing list Libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list -- Libvir-list mailing list Libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [RFC][PATCH] lxc: drop CAP_SYS_BOOT capability to preventrebooting from inside containers
Quoting Ryota Ozaki (ozaki.ry...@gmail.com): Hi Serge, On Fri, May 8, 2009 at 9:12 AM, Serge E. Hallyn se...@us.ibm.com wrote: Quoting Ryota Ozaki (ozaki.ry...@gmail.com): Hi, ... + for (i = 0 ; i ARRAY_CARDINALITY(caps) ; i++) { + if (prctl(PR_CAPBSET_DROP, caps[i].id, 0, 0, 0)) { + lxcError(NULL, NULL, VIR_ERR_INTERNAL_ERROR, + %s, _(failed to drop %s), caps[i].name); + return -1; Ideally you should also drop it from pI. If not drop it, a user in a container could set CAP_SYS_BOOT fI bit of /bin/reboot on and then the user could gain CAP_SYS_BOOT back through the fI. Is this understanding right? Yup. Of course most tasks run with pI empty, so it seems unlikely that it would be a problem, but unless the libcap dependecy becomes a problem, it seems worth making sure that doesn't happen. thanks, -serge -- Libvir-list mailing list Libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [RFC][PATCH] lxc: drop CAP_SYS_BOOT capability to preventrebooting from inside containers
Hi Serge, On Fri, May 8, 2009 at 11:04 AM, Serge E. Hallyn se...@us.ibm.com wrote: Quoting Ryota Ozaki (ozaki.ry...@gmail.com): Hi Serge, On Fri, May 8, 2009 at 9:12 AM, Serge E. Hallyn se...@us.ibm.com wrote: Quoting Ryota Ozaki (ozaki.ry...@gmail.com): Hi, ... + for (i = 0 ; i ARRAY_CARDINALITY(caps) ; i++) { + if (prctl(PR_CAPBSET_DROP, caps[i].id, 0, 0, 0)) { + lxcError(NULL, NULL, VIR_ERR_INTERNAL_ERROR, + %s, _(failed to drop %s), caps[i].name); + return -1; Ideally you should also drop it from pI. If not drop it, a user in a container could set CAP_SYS_BOOT fI bit of /bin/reboot on and then the user could gain CAP_SYS_BOOT back through the fI. Is this understanding right? Yup. Of course most tasks run with pI empty, so it seems unlikely that it would be a problem, but unless the libcap dependecy becomes a problem, it seems worth making sure that doesn't happen. Oh, I slightly misread your suggestions, sorry. You are suggesting making sure requires dropping a capability in both bounding set AND pI of a process and to do so we need an additional package (libcap2 or somewhat) because prctl(2) doesn't have the function to drop pI, aren't you? um, I hope my patch is sufficient as a first step, but ok, I'll try to implement the function to drop pI as well and confirm whether it is feasible for libvirt. Thanks, ozaki-r thanks, -serge -- Libvir-list mailing list Libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list