The following pull request was submitted through Github. It can be accessed and reviewed at: https://github.com/lxc/lxc/pull/3614
This e-mail was sent by the LXC bot, direct replies will not reach the author unless they happen to be subscribed to this list. === Description (from pull-request) === Signed-off-by: Christian Brauner <christian.brau...@ubuntu.com>
From 24b77f47ad4cc791f6be0221b53cc791951a0ee5 Mon Sep 17 00:00:00 2001 From: Christian Brauner <christian.brau...@ubuntu.com> Date: Mon, 4 Jan 2021 10:45:44 +0100 Subject: [PATCH 1/6] macro: use ascending order for capabilities Signed-off-by: Christian Brauner <christian.brau...@ubuntu.com> --- src/lxc/macro.h | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/src/lxc/macro.h b/src/lxc/macro.h index 3dff019416..7a8e15f384 100644 --- a/src/lxc/macro.h +++ b/src/lxc/macro.h @@ -37,6 +37,14 @@ #endif /* capabilities */ +#ifndef CAP_SETGID +#define CAP_SETGID 6 +#endif + +#ifndef CAP_SETUID +#define CAP_SETUID 7 +#endif + #ifndef CAP_SYS_ADMIN #define CAP_SYS_ADMIN 21 #endif @@ -53,14 +61,6 @@ #define CAP_MAC_ADMIN 33 #endif -#ifndef CAP_SETUID -#define CAP_SETUID 7 -#endif - -#ifndef CAP_SETGID -#define CAP_SETGID 6 -#endif - /* prctl */ #ifndef PR_CAPBSET_READ #define PR_CAPBSET_READ 23 From f2da98c04597cc55c84da67fca6ae54ee68e119d Mon Sep 17 00:00:00 2001 From: Christian Brauner <christian.brau...@ubuntu.com> Date: Mon, 4 Jan 2021 10:50:07 +0100 Subject: [PATCH 2/6] conf: define missing capabilities Signed-off-by: Christian Brauner <christian.brau...@ubuntu.com> --- src/lxc/conf.c | 12 ------------ src/lxc/macro.h | 24 ++++++++++++++++++++++++ 2 files changed, 24 insertions(+), 12 deletions(-) diff --git a/src/lxc/conf.c b/src/lxc/conf.c index d5c069553a..bc0d01463c 100644 --- a/src/lxc/conf.c +++ b/src/lxc/conf.c @@ -210,28 +210,16 @@ static struct caps_opt caps_opt[] = { { "sys_tty_config", CAP_SYS_TTY_CONFIG }, { "mknod", CAP_MKNOD }, { "lease", CAP_LEASE }, -#ifdef CAP_AUDIT_READ { "audit_read", CAP_AUDIT_READ }, -#endif -#ifdef CAP_AUDIT_WRITE { "audit_write", CAP_AUDIT_WRITE }, -#endif -#ifdef CAP_AUDIT_CONTROL { "audit_control", CAP_AUDIT_CONTROL }, -#endif { "setfcap", CAP_SETFCAP }, { "mac_override", CAP_MAC_OVERRIDE }, { "mac_admin", CAP_MAC_ADMIN }, -#ifdef CAP_SYSLOG { "syslog", CAP_SYSLOG }, -#endif -#ifdef CAP_WAKE_ALARM { "wake_alarm", CAP_WAKE_ALARM }, -#endif -#ifdef CAP_BLOCK_SUSPEND { "block_suspend", CAP_BLOCK_SUSPEND }, #endif -#endif }; static struct limit_opt limit_opt[] = { diff --git a/src/lxc/macro.h b/src/lxc/macro.h index 7a8e15f384..4882b1781e 100644 --- a/src/lxc/macro.h +++ b/src/lxc/macro.h @@ -49,6 +49,14 @@ #define CAP_SYS_ADMIN 21 #endif +#ifndef CAP_AUDIT_WRITE +#define CAP_AUDIT_WRITE 29 +#endif + +#ifndef CAP_AUDIT_CONTROL +#define CAP_AUDIT_CONTROL 30 +#endif + #ifndef CAP_SETFCAP #define CAP_SETFCAP 31 #endif @@ -61,6 +69,22 @@ #define CAP_MAC_ADMIN 33 #endif +#ifndef CAP_SYSLOG +#define CAP_SYSLOG 34 +#endif + +#ifndef CAP_WAKE_ALARM +#define CAP_WAKE_ALARM 35 +#endif + +#ifndef CAP_BLOCK_SUSPEND +#define CAP_BLOCK_SUSPEND 36 +#endif + +#ifndef CAP_AUDIT_READ +#define CAP_AUDIT_READ 37 +#endif + /* prctl */ #ifndef PR_CAPBSET_READ #define PR_CAPBSET_READ 23 From 7b4cd4681da399acc1775773d7967a3c94635346 Mon Sep 17 00:00:00 2001 From: Christian Brauner <christian.brau...@ubuntu.com> Date: Mon, 4 Jan 2021 10:53:19 +0100 Subject: [PATCH 3/6] conf: add new capabilities CAP_{BLOCK_SUSPEND,PERFMON,BPF,CAP_CHECKPOINT_RESTORE} Signed-off-by: Christian Brauner <christian.brau...@ubuntu.com> --- src/lxc/conf.c | 79 +++++++++++++++++++++++++------------------------ src/lxc/macro.h | 12 ++++++++ 2 files changed, 53 insertions(+), 38 deletions(-) diff --git a/src/lxc/conf.c b/src/lxc/conf.c index bc0d01463c..30870aa5b3 100644 --- a/src/lxc/conf.c +++ b/src/lxc/conf.c @@ -181,44 +181,47 @@ static struct mount_opt propagation_opt[] = { static struct caps_opt caps_opt[] = { #if HAVE_LIBCAP - { "chown", CAP_CHOWN }, - { "dac_override", CAP_DAC_OVERRIDE }, - { "dac_read_search", CAP_DAC_READ_SEARCH }, - { "fowner", CAP_FOWNER }, - { "fsetid", CAP_FSETID }, - { "kill", CAP_KILL }, - { "setgid", CAP_SETGID }, - { "setuid", CAP_SETUID }, - { "setpcap", CAP_SETPCAP }, - { "linux_immutable", CAP_LINUX_IMMUTABLE }, - { "net_bind_service", CAP_NET_BIND_SERVICE }, - { "net_broadcast", CAP_NET_BROADCAST }, - { "net_admin", CAP_NET_ADMIN }, - { "net_raw", CAP_NET_RAW }, - { "ipc_lock", CAP_IPC_LOCK }, - { "ipc_owner", CAP_IPC_OWNER }, - { "sys_module", CAP_SYS_MODULE }, - { "sys_rawio", CAP_SYS_RAWIO }, - { "sys_chroot", CAP_SYS_CHROOT }, - { "sys_ptrace", CAP_SYS_PTRACE }, - { "sys_pacct", CAP_SYS_PACCT }, - { "sys_admin", CAP_SYS_ADMIN }, - { "sys_boot", CAP_SYS_BOOT }, - { "sys_nice", CAP_SYS_NICE }, - { "sys_resource", CAP_SYS_RESOURCE }, - { "sys_time", CAP_SYS_TIME }, - { "sys_tty_config", CAP_SYS_TTY_CONFIG }, - { "mknod", CAP_MKNOD }, - { "lease", CAP_LEASE }, - { "audit_read", CAP_AUDIT_READ }, - { "audit_write", CAP_AUDIT_WRITE }, - { "audit_control", CAP_AUDIT_CONTROL }, - { "setfcap", CAP_SETFCAP }, - { "mac_override", CAP_MAC_OVERRIDE }, - { "mac_admin", CAP_MAC_ADMIN }, - { "syslog", CAP_SYSLOG }, - { "wake_alarm", CAP_WAKE_ALARM }, - { "block_suspend", CAP_BLOCK_SUSPEND }, + { "chown", CAP_CHOWN }, + { "dac_override", CAP_DAC_OVERRIDE }, + { "dac_read_search", CAP_DAC_READ_SEARCH }, + { "fowner", CAP_FOWNER }, + { "fsetid", CAP_FSETID }, + { "kill", CAP_KILL }, + { "setgid", CAP_SETGID }, + { "setuid", CAP_SETUID }, + { "setpcap", CAP_SETPCAP }, + { "linux_immutable", CAP_LINUX_IMMUTABLE }, + { "net_bind_service", CAP_NET_BIND_SERVICE }, + { "net_broadcast", CAP_NET_BROADCAST }, + { "net_admin", CAP_NET_ADMIN }, + { "net_raw", CAP_NET_RAW }, + { "ipc_lock", CAP_IPC_LOCK }, + { "ipc_owner", CAP_IPC_OWNER }, + { "sys_module", CAP_SYS_MODULE }, + { "sys_rawio", CAP_SYS_RAWIO }, + { "sys_chroot", CAP_SYS_CHROOT }, + { "sys_ptrace", CAP_SYS_PTRACE }, + { "sys_pacct", CAP_SYS_PACCT }, + { "sys_admin", CAP_SYS_ADMIN }, + { "sys_boot", CAP_SYS_BOOT }, + { "sys_nice", CAP_SYS_NICE }, + { "sys_resource", CAP_SYS_RESOURCE }, + { "sys_time", CAP_SYS_TIME }, + { "sys_tty_config", CAP_SYS_TTY_CONFIG }, + { "mknod", CAP_MKNOD }, + { "lease", CAP_LEASE }, + { "audit_write", CAP_AUDIT_WRITE }, + { "audit_control", CAP_AUDIT_CONTROL }, + { "setfcap", CAP_SETFCAP }, + { "mac_override", CAP_MAC_OVERRIDE }, + { "mac_admin", CAP_MAC_ADMIN }, + { "syslog", CAP_SYSLOG }, + { "wake_alarm", CAP_WAKE_ALARM }, + { "block_suspend", CAP_BLOCK_SUSPEND }, + { "audit_read", CAP_AUDIT_READ }, + { "perfmon", CAP_PERFMON }, + { "bpf", CAP_BPF }, + { "checkpoint_restore", CAP_CHECKPOINT_RESTORE }, #endif }; diff --git a/src/lxc/macro.h b/src/lxc/macro.h index 4882b1781e..24d80fe16e 100644 --- a/src/lxc/macro.h +++ b/src/lxc/macro.h @@ -85,6 +85,18 @@ #define CAP_AUDIT_READ 37 #endif +#ifndef CAP_PERFMON +#define CAP_PERFMON 38 +#endif + +#ifndef CAP_BPF +#define CAP_BPF 39 +#endif + +#ifndef CAP_CHECKPOINT_RESTORE +#define CAP_CHECKPOINT_RESTORE 40 +#endif + /* prctl */ #ifndef PR_CAPBSET_READ #define PR_CAPBSET_READ 23 From fa934e3e24bd08ab1b49f5bd3aeff0406eff12f0 Mon Sep 17 00:00:00 2001 From: Christian Brauner <christian.brau...@ubuntu.com> Date: Mon, 4 Jan 2021 11:15:34 +0100 Subject: [PATCH 4/6] macro: define all capabilities Fixes: #3612 Signed-off-by: Christian Brauner <christian.brau...@ubuntu.com> --- src/lxc/macro.h | 134 ++++++++++++++++++++++++++++++++++++++++++------ 1 file changed, 119 insertions(+), 15 deletions(-) diff --git a/src/lxc/macro.h b/src/lxc/macro.h index 24d80fe16e..092782aab8 100644 --- a/src/lxc/macro.h +++ b/src/lxc/macro.h @@ -37,64 +37,168 @@ #endif /* capabilities */ +#ifndef CAP_CHOWN +#define CAP_CHOWN 0 +#endif + +#ifndef CAP_DAC_OVERRIDE +#define CAP_DAC_OVERRIDE 1 +#endif + +#ifndef CAP_DAC_READ_SEARCH +#define CAP_DAC_READ_SEARCH 2 +#endif + +#ifndef CAP_FOWNER +#define CAP_FOWNER 3 +#endif + +#ifndef CAP_FSETID +#define CAP_FSETID 4 +#endif + +#ifndef CAP_KILL +#define CAP_KILL 5 +#endif + #ifndef CAP_SETGID -#define CAP_SETGID 6 +#define CAP_SETGID 6 #endif #ifndef CAP_SETUID -#define CAP_SETUID 7 +#define CAP_SETUID 7 +#endif + +#ifndef CAP_SETPCAP +#define CAP_SETPCAP 8 +#endif + +#ifndef CAP_LINUX_IMMUTABLE +#define CAP_LINUX_IMMUTABLE 9 +#endif + +#ifndef CAP_NET_BIND_SERVICE +#define CAP_NET_BIND_SERVICE 10 +#endif + +#ifndef CAP_NET_BROADCAST +#define CAP_NET_BROADCAST 11 +#endif + +#ifndef CAP_NET_ADMIN +#define CAP_NET_ADMIN 12 +#endif + +#ifndef CAP_NET_RAW +#define CAP_NET_RAW 13 +#endif + +#ifndef CAP_IPC_LOCK +#define CAP_IPC_LOCK 14 +#endif + +#ifndef CAP_IPC_OWNER +#define CAP_IPC_OWNER 15 +#endif + +#ifndef CAP_SYS_MODULE +#define CAP_SYS_MODULE 16 +#endif + +#ifndef CAP_SYS_RAWIO +#define CAP_SYS_RAWIO 17 +#endif + +#ifndef CAP_SYS_CHROOT +#define CAP_SYS_CHROOT 18 +#endif + +#ifndef CAP_SYS_PTRACE +#define CAP_SYS_PTRACE 19 +#endif + +#ifndef CAP_SYS_PACCT +#define CAP_SYS_PACCT 20 #endif #ifndef CAP_SYS_ADMIN -#define CAP_SYS_ADMIN 21 +#define CAP_SYS_ADMIN 21 +#endif + +#ifndef CAP_SYS_BOOT +#define CAP_SYS_BOOT 22 +#endif + +#ifndef CAP_SYS_NICE +#define CAP_SYS_NICE 23 +#endif + +#ifndef CAP_SYS_RESOURCE +#define CAP_SYS_RESOURCE 24 +#endif + +#ifndef CAP_SYS_TIME +#define CAP_SYS_TIME 25 +#endif + +#ifndef CAP_SYS_TTY_CONFIG +#define CAP_SYS_TTY_CONFIG 26 +#endif + +#ifndef CAP_MKNOD +#define CAP_MKNOD 27 +#endif + +#ifndef CAP_LEASE +#define CAP_LEASE 28 #endif #ifndef CAP_AUDIT_WRITE -#define CAP_AUDIT_WRITE 29 +#define CAP_AUDIT_WRITE 29 #endif #ifndef CAP_AUDIT_CONTROL -#define CAP_AUDIT_CONTROL 30 +#define CAP_AUDIT_CONTROL 30 #endif #ifndef CAP_SETFCAP -#define CAP_SETFCAP 31 +#define CAP_SETFCAP 31 #endif #ifndef CAP_MAC_OVERRIDE -#define CAP_MAC_OVERRIDE 32 +#define CAP_MAC_OVERRIDE 32 #endif #ifndef CAP_MAC_ADMIN -#define CAP_MAC_ADMIN 33 +#define CAP_MAC_ADMIN 33 #endif #ifndef CAP_SYSLOG -#define CAP_SYSLOG 34 +#define CAP_SYSLOG 34 #endif #ifndef CAP_WAKE_ALARM -#define CAP_WAKE_ALARM 35 +#define CAP_WAKE_ALARM 35 #endif #ifndef CAP_BLOCK_SUSPEND -#define CAP_BLOCK_SUSPEND 36 +#define CAP_BLOCK_SUSPEND 36 #endif #ifndef CAP_AUDIT_READ -#define CAP_AUDIT_READ 37 +#define CAP_AUDIT_READ 37 #endif #ifndef CAP_PERFMON -#define CAP_PERFMON 38 +#define CAP_PERFMON 38 #endif #ifndef CAP_BPF -#define CAP_BPF 39 +#define CAP_BPF 39 #endif #ifndef CAP_CHECKPOINT_RESTORE -#define CAP_CHECKPOINT_RESTORE 40 +#define CAP_CHECKPOINT_RESTORE 40 #endif /* prctl */ From 309ae2876fe9f58a8db21c5218b859cfc441e597 Mon Sep 17 00:00:00 2001 From: Christian Brauner <christian.brau...@ubuntu.com> Date: Mon, 4 Jan 2021 11:06:02 +0100 Subject: [PATCH 5/6] conf: add lxc_wants_cap() helper Signed-off-by: Christian Brauner <christian.brau...@ubuntu.com> --- src/lxc/cgroups/cgfsng.c | 5 +---- src/lxc/conf.h | 9 +++++++++ 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/src/lxc/cgroups/cgfsng.c b/src/lxc/cgroups/cgfsng.c index 0078b3c858..bf181987f1 100644 --- a/src/lxc/cgroups/cgfsng.c +++ b/src/lxc/cgroups/cgfsng.c @@ -1832,10 +1832,7 @@ __cgfsng_ops static bool cgfsng_mount(struct cgroup_ops *ops, } if (!wants_force_mount) { - if (!lxc_list_empty(&handler->conf->keepcaps)) - wants_force_mount = !in_caplist(CAP_SYS_ADMIN, &handler->conf->keepcaps); - else - wants_force_mount = in_caplist(CAP_SYS_ADMIN, &handler->conf->caps); + wants_force_mount = lxc_wants_cap(CAP_SYS_ADMIN, handler->conf); /* * Most recent distro versions currently have init system that diff --git a/src/lxc/conf.h b/src/lxc/conf.h index 84b0f81b0f..5a501b442a 100644 --- a/src/lxc/conf.h +++ b/src/lxc/conf.h @@ -514,6 +514,15 @@ __hidden extern int run_script(const char *name, const char *section, const char __hidden extern int run_script_argv(const char *name, unsigned int hook_version, const char *section, const char *script, const char *hookname, char **argsin); __hidden extern int in_caplist(int cap, struct lxc_list *caps); + +static inline int lxc_wants_cap(int cap, struct lxc_conf *conf) +{ + if (!lxc_list_empty(&conf->keepcaps)) + return !in_caplist(cap, &conf->keepcaps); + + return in_caplist(cap, &conf->caps); +} + __hidden extern int setup_sysctl_parameters(struct lxc_list *sysctls); __hidden extern int lxc_clear_sysctls(struct lxc_conf *c, const char *key); __hidden extern int setup_proc_filesystem(struct lxc_list *procs, pid_t pid); From d84b26bc8b531c8a8491b6c2061146d958acb63a Mon Sep 17 00:00:00 2001 From: Christian Brauner <christian.brau...@ubuntu.com> Date: Mon, 4 Jan 2021 11:21:53 +0100 Subject: [PATCH 6/6] conf: fix CAP_NET_ADMIN-based mount handling Fixes: e8b9c9ec6fb9 ("unmounted proc/sys/net if dropping CAP_NET_ADMIN") Signed-off-by: Christian Brauner <christian.brau...@ubuntu.com> --- src/lxc/conf.c | 4 ++-- src/lxc/conf.h | 6 +++++- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/src/lxc/conf.c b/src/lxc/conf.c index 30870aa5b3..3ddd30bf20 100644 --- a/src/lxc/conf.c +++ b/src/lxc/conf.c @@ -640,8 +640,8 @@ static int lxc_mount_auto_mounts(struct lxc_conf *conf, int flags, struct lxc_ha { 0, 0, NULL, NULL, NULL, 0, NULL, 0 } }; - bool has_cap_net_admin = in_caplist(CAP_NET_ADMIN, &conf->caps); - for (i = 0; default_mounts[i].match_mask; i++) { + bool has_cap_net_admin = lxc_wants_cap(CAP_NET_ADMIN, conf); + for (i = 0; default_mounts[i].match_mask; i++) { __do_free char *destination = NULL, *source = NULL; int saved_errno; unsigned long mflags; diff --git a/src/lxc/conf.h b/src/lxc/conf.h index 5a501b442a..46bab5b303 100644 --- a/src/lxc/conf.h +++ b/src/lxc/conf.h @@ -15,6 +15,7 @@ #include <sys/types.h> #include <sys/vfs.h> +#include "caps.h" #include "compiler.h" #include "config.h" #include "list.h" @@ -515,8 +516,11 @@ __hidden extern int run_script_argv(const char *name, unsigned int hook_version, const char *script, const char *hookname, char **argsin); __hidden extern int in_caplist(int cap, struct lxc_list *caps); -static inline int lxc_wants_cap(int cap, struct lxc_conf *conf) +static inline bool lxc_wants_cap(int cap, struct lxc_conf *conf) { + if (lxc_caps_last_cap() < cap) + return false; + if (!lxc_list_empty(&conf->keepcaps)) return !in_caplist(cap, &conf->keepcaps);
_______________________________________________ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel