[Openvpn-devel] [PATCH v2] Retain CAP_NET_ADMIN when dropping privileges

2022-03-30 Thread Timo Rothenpieler 
---
Using libcap-ng now


 configure.ac  | 19 +
 distro/systemd/openvpn-cli...@.service.in |  2 +-
 distro/systemd/openvpn-ser...@.service.in |  2 +-
 src/openvpn/init.c| 25 ++-
 src/openvpn/platform.c| 91 +++
 src/openvpn/platform.h|  5 ++
 6 files changed, 140 insertions(+), 4 deletions(-)

diff --git a/configure.ac b/configure.ac
index 7199483a..168360d4 100644
--- a/configure.ac
+++ b/configure.ac
@@ -794,6 +794,25 @@ dnl
esac
 fi
 
+dnl
+dnl Depend on libcap-ng on Linux
+dnl
+case "$host" in
+   *-*-linux*)
+   PKG_CHECK_MODULES([LIBCAPNG],
+ [libcap-ng],
+ [have_libcapng="yes"],
+ [AC_MSG_ERROR([libcap-ng package not found. 
Is the development package and pkg-config installed?])]
+   )
+   AC_CHECK_HEADER([sys/prctl.h],,[AC_MSG_ERROR([sys/prctl.h not 
found!])])
+
+   CFLAGS="${CFLAGS} ${LIBCAPNG_CFALGS}"
+   LIBS="${LIBS} ${LIBCAPNG_LIBS}"
+   AC_DEFINE(HAVE_LIBCAPNG, 1, [Enable libcap-ng support])
+   ;;
+esac
+
+
 if test "${with_crypto_library}" = "openssl"; then
AC_ARG_VAR([OPENSSL_CFLAGS], [C compiler flags for OpenSSL])
AC_ARG_VAR([OPENSSL_LIBS], [linker flags for OpenSSL])
diff --git a/distro/systemd/openvpn-cli...@.service.in 
b/distro/systemd/openvpn-cli...@.service.in
index cbcef653..159fb4dc 100644
--- a/distro/systemd/openvpn-cli...@.service.in
+++ b/distro/systemd/openvpn-cli...@.service.in
@@ -11,7 +11,7 @@ Type=notify
 PrivateTmp=true
 WorkingDirectory=/etc/openvpn/client
 ExecStart=@sbindir@/openvpn --suppress-timestamps --nobind --config %i.conf
-CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID 
CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE
+CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID 
CAP_SETUID CAP_SETPCAP CAP_SYS_CHROOT CAP_DAC_OVERRIDE
 LimitNPROC=10
 DeviceAllow=/dev/null rw
 DeviceAllow=/dev/net/tun rw
diff --git a/distro/systemd/openvpn-ser...@.service.in 
b/distro/systemd/openvpn-ser...@.service.in
index d1cc72cb..6e8e7d94 100644
--- a/distro/systemd/openvpn-ser...@.service.in
+++ b/distro/systemd/openvpn-ser...@.service.in
@@ -11,7 +11,7 @@ Type=notify
 PrivateTmp=true
 WorkingDirectory=/etc/openvpn/server
 ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log 
--status-version 2 --suppress-timestamps --config %i.conf
-CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE 
CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE 
CAP_AUDIT_WRITE
+CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE 
CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SETPCAP CAP_SYS_CHROOT CAP_DAC_OVERRIDE 
CAP_AUDIT_WRITE
 LimitNPROC=10
 DeviceAllow=/dev/null rw
 DeviceAllow=/dev/net/tun rw
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index 8818ba6f..705eb92e 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -1138,6 +1138,25 @@ possibly_become_daemon(const struct options *options)
 return ret;
 }
 
+/*
+ * Determine if we need to retain process capabilities. DCO and SITNL need it.
+ * Enforce it for DCO, but only try and soft-fail for SITNL to keep backwards 
compat.
+ */
+static int
+get_need_keep_caps(struct context *c)
+{
+if (dco_enabled(>options))
+{
+return 1;
+}
+
+#ifdef ENABLE_SITNL
+return -1;
+#else
+return 0;
+#endif
+}
+
 /*
  * Actually do UID/GID downgrade, chroot and SELinux context switching, if 
requested.
  */
@@ -1167,8 +1186,10 @@ do_uid_gid_chroot(struct context *c, bool no_delay)
 {
 if (no_delay)
 {
-platform_group_set(>platform_state_group);
-platform_user_set(>platform_state_user);
+int keep_caps = get_need_keep_caps(c);
+platform_user_group_set(>platform_state_user,
+>platform_state_group,
+keep_caps);
 }
 else if (c->first_time)
 {
diff --git a/src/openvpn/platform.c b/src/openvpn/platform.c
index 450f28ba..4fce5a83 100644
--- a/src/openvpn/platform.c
+++ b/src/openvpn/platform.c
@@ -43,6 +43,11 @@
 #include 
 #endif
 
+#ifdef HAVE_LIBCAPNG
+#include 
+#include 
+#endif
+
 /* Redefine the top level directory of the filesystem
  * to restrict access to files for security */
 void
@@ -155,6 +160,92 @@ platform_group_set(const struct platform_state_group 
*state)
 #endif
 }
 
+void platform_user_group_set(const struct platform_state_user *user_state,
+ const struct platform_state_group *group_state,
+ int keep_caps)
+{
+unsigned int err_flags = (keep_caps > 0) ? M_FATAL : M_NONFATAL;
+#ifdef HAVE_LIBCAPNG
+int new_gid = -1, new_uid = -1;
+

[Openvpn-devel] [PATCH] Retain CAP_NET_ADMIN when dropping privileges

2022-03-30 Thread Timo Rothenpieler 
---
 configure.ac  | 18 ++
 distro/systemd/openvpn-cli...@.service.in |  2 +-
 distro/systemd/openvpn-ser...@.service.in |  2 +-
 src/openvpn/init.c| 25 ++-
 src/openvpn/platform.c| 79 +++
 src/openvpn/platform.h|  5 ++
 6 files changed, 127 insertions(+), 4 deletions(-)

diff --git a/configure.ac b/configure.ac
index 7199483a..5832b62f 100644
--- a/configure.ac
+++ b/configure.ac
@@ -794,6 +794,24 @@ dnl
esac
 fi
 
+dnl
+dnl Depend on libcap-ng on Linux
+dnl
+case "$host" in
+   *-*-linux*)
+   PKG_CHECK_MODULES([LIBCAPNG],
+ [libcap-ng],
+ [have_libcapng="yes"],
+ [AC_MSG_ERROR([libcap-ng package not found. 
Is the development package and pkg-config installed?])]
+   )
+
+   CFLAGS="${CFLAGS} ${LIBCAPNG_CFALGS}"
+   LIBS="${LIBS} ${LIBCAPNG_LIBS}"
+   AC_DEFINE(HAVE_LIBCAPNG, 1, [Enable libcap-ng support])
+   ;;
+esac
+
+
 if test "${with_crypto_library}" = "openssl"; then
AC_ARG_VAR([OPENSSL_CFLAGS], [C compiler flags for OpenSSL])
AC_ARG_VAR([OPENSSL_LIBS], [linker flags for OpenSSL])
diff --git a/distro/systemd/openvpn-cli...@.service.in 
b/distro/systemd/openvpn-cli...@.service.in
index cbcef653..159fb4dc 100644
--- a/distro/systemd/openvpn-cli...@.service.in
+++ b/distro/systemd/openvpn-cli...@.service.in
@@ -11,7 +11,7 @@ Type=notify
 PrivateTmp=true
 WorkingDirectory=/etc/openvpn/client
 ExecStart=@sbindir@/openvpn --suppress-timestamps --nobind --config %i.conf
-CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID 
CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE
+CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID 
CAP_SETUID CAP_SETPCAP CAP_SYS_CHROOT CAP_DAC_OVERRIDE
 LimitNPROC=10
 DeviceAllow=/dev/null rw
 DeviceAllow=/dev/net/tun rw
diff --git a/distro/systemd/openvpn-ser...@.service.in 
b/distro/systemd/openvpn-ser...@.service.in
index d1cc72cb..6e8e7d94 100644
--- a/distro/systemd/openvpn-ser...@.service.in
+++ b/distro/systemd/openvpn-ser...@.service.in
@@ -11,7 +11,7 @@ Type=notify
 PrivateTmp=true
 WorkingDirectory=/etc/openvpn/server
 ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log 
--status-version 2 --suppress-timestamps --config %i.conf
-CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE 
CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE 
CAP_AUDIT_WRITE
+CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE 
CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SETPCAP CAP_SYS_CHROOT CAP_DAC_OVERRIDE 
CAP_AUDIT_WRITE
 LimitNPROC=10
 DeviceAllow=/dev/null rw
 DeviceAllow=/dev/net/tun rw
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index 8818ba6f..705eb92e 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -1138,6 +1138,25 @@ possibly_become_daemon(const struct options *options)
 return ret;
 }
 
+/*
+ * Determine if we need to retain process capabilities. DCO and SITNL need it.
+ * Enforce it for DCO, but only try and soft-fail for SITNL to keep backwards 
compat.
+ */
+static int
+get_need_keep_caps(struct context *c)
+{
+if (dco_enabled(>options))
+{
+return 1;
+}
+
+#ifdef ENABLE_SITNL
+return -1;
+#else
+return 0;
+#endif
+}
+
 /*
  * Actually do UID/GID downgrade, chroot and SELinux context switching, if 
requested.
  */
@@ -1167,8 +1186,10 @@ do_uid_gid_chroot(struct context *c, bool no_delay)
 {
 if (no_delay)
 {
-platform_group_set(>platform_state_group);
-platform_user_set(>platform_state_user);
+int keep_caps = get_need_keep_caps(c);
+platform_user_group_set(>platform_state_user,
+>platform_state_group,
+keep_caps);
 }
 else if (c->first_time)
 {
diff --git a/src/openvpn/platform.c b/src/openvpn/platform.c
index 450f28ba..e67844ad 100644
--- a/src/openvpn/platform.c
+++ b/src/openvpn/platform.c
@@ -43,6 +43,10 @@
 #include 
 #endif
 
+#ifdef HAVE_LIBCAPNG
+#include 
+#endif
+
 /* Redefine the top level directory of the filesystem
  * to restrict access to files for security */
 void
@@ -155,6 +159,81 @@ platform_group_set(const struct platform_state_group 
*state)
 #endif
 }
 
+void platform_user_group_set(const struct platform_state_user *user_state,
+ const struct platform_state_group *group_state,
+ int keep_caps)
+{
+unsigned int err_flags = (keep_caps > 0) ? M_FATAL : M_NONFATAL;
+#ifdef HAVE_LIBCAPNG
+int new_gid = -1, new_uid = -1;
+int res;
+
+if (keep_caps == 0)
+{
+goto fallback;
+}
+
+/*
+ * new_uid/new_gid defaults to

Re: [Openvpn-devel] [PATCH] Retain CAP_NET_ADMIN when dropping privileges

2022-03-30 Thread Antonio Quartulli 

Hi,

On 30/03/2022 13:57, Gert Doering wrote:

Hi,

On Wed, Mar 30, 2022 at 01:31:24PM +0200, Timo Rothenpieler wrote:

It is possible to argue that sitnl does low-level calls to the kernel as
well.  But potential libraries had an API which was making everything
far more complex on the OpenVPN side.  For libcap-ng at least, that is
not the case; as the API it provides is pretty simple.


Shouldn't caps support also be enabled when sitnl is in use?
Given it also needs CAP_NET_ADMIN.


That was a misunderstanding.  David explained why we are not using a
library but directly talk to the netlink socket for SITNL.

And yes, we want CAP_NET_ADMIN for sitnl+--user as well ;-)


One detail: using SITNL is a compile time decision, while using DCO is a 
runtime decision (assuming it was compiled in)


Thanks!

--
Antonio Quartulli


___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH] Retain CAP_NET_ADMIN when dropping privileges

2022-03-30 Thread Gert Doering 
Hi,

On Wed, Mar 30, 2022 at 01:31:24PM +0200, Timo Rothenpieler wrote:
> > It is possible to argue that sitnl does low-level calls to the kernel as 
> > well.  But potential libraries had an API which was making everything 
> > far more complex on the OpenVPN side.  For libcap-ng at least, that is 
> > not the case; as the API it provides is pretty simple.
> 
> Shouldn't caps support also be enabled when sitnl is in use?
> Given it also needs CAP_NET_ADMIN.

That was a misunderstanding.  David explained why we are not using a 
library but directly talk to the netlink socket for SITNL.

And yes, we want CAP_NET_ADMIN for sitnl+--user as well ;-)

Thanks for your help on this,

gert

-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
 Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany g...@greenie.muc.de


signature.asc
Description: PGP signature
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH] Retain CAP_NET_ADMIN when dropping privileges

2022-03-30 Thread Timo Rothenpieler 

On 30.03.2022 11:11, David Sommerseth wrote:

On 30/03/2022 10:51, David Sommerseth wrote:

On 29/03/2022 21:29, Timo Rothenpieler wrote:

---
This patch sits on top of the current dco branch, and will not apply to
latest master.

It solves the issue of dropping root privileges breaking dco and sitnl
due to missing NET_ADMIN capabilities.


  configure.ac   |  3 ++
  src/openvpn/init.c | 22 +-
  src/openvpn/platform.c | 65 +-
  src/openvpn/platform.h |  2 +-
  4 files changed, 89 insertions(+), 3 deletions(-)



Thanks a lot!  I've quickly looked through the code, and I have to NAK 
this approach:



+#ifdef HAVE_LINUX_CAPABILITIES
+#define SET_CAP_HELPER(data, set, cap) data[(cap)>>5].set |= 
1<<((cap)&31)

+
+static bool
+do_keep_caps(bool prepare)
+{
+    struct __user_cap_header_struct cap_hdr = { 
_LINUX_CAPABILITY_VERSION_3 };
+    struct __user_cap_data_struct cap_data[_LINUX_CAPABILITY_U32S_3] 
= {};

+
+    if (syscall(SYS_capget, _hdr, cap_data) < 0)


We should really use libcap or libcap-ng and not avoid using syscalls 
directly.


Is there any preference between the two? I initially used libcap, but 
wanted to avoid introducing another dependency.
But both libcap and libcap-ng seem to be widely adopted by distros, and 
there isn't a huge difference in boilerplate between them for this purpose.



This did not come out well.  Sorry about that.

We should really avoid using syscalls directly, as that binds us to 
certain APIs and bindings.


Newer kernels may also require additional adjustments in the future, to 
preserve the same behaviour.  Which means we need to maintain this code 
and also pay more attention to the security aspects of privilege 
management, like new vulnerabilities and exploits.


The libcap or libcap-ng libraries are used by far more applications, 
doing similar privilege management - and these libraries already pay 
attention to the security aspects of new vulnerabilities and exploits. 
The libcap-ng library is also recommended by more developers, due to its 
simpler API.


It is possible to argue that sitnl does low-level calls to the kernel as 
well.  But potential libraries had an API which was making everything 
far more complex on the OpenVPN side.  For libcap-ng at least, that is 
not the case; as the API it provides is pretty simple.


Shouldn't caps support also be enabled when sitnl is in use?
Given it also needs CAP_NET_ADMIN.



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] Summary of the community meeting (30th March 2022)

2022-03-30 Thread Samuli Seppänen 

Hi,

Here's the summary of the IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on libera.chat
Date: Wed 30th March 2022
Time: 10:30 CEST (8:30 UTC)

Planned meeting topics for this meeting were here:



Your local meeting time is easy to check from services such as



SUMMARY

cron2, dazo, d12fk, mattock, MaxF, novaflash, ordex and plaisthos 
participated in this meeting.


---

Cron2 noted that the hackathon T-shirts have not yet been sent to 
novaflash for further distribution.


--

Novaflash presented a workaround to the "no IPv6 on community servers" 
dilemma. The proposal is to create subdomains in Cloudflare for each 
community server and turn on IPv6 there without affecting the whole of 
openvpn.net domain. This seems the only reasonable way forward that can 
be done relatively quickly.


--

Talked about OpenVPN 2.6.

Plaisthos has HMAC based (syn cookies) three way handshake working for 
none/tls-auth/tls-crypt. Cron2 is fighting DCO and iroutes right now, 
but he has a path forward. Besides that the patch queue looks fairly 
decent. The big ones are done, there are a few small ones that want to 
be looked at (and old stuff that needs to be revived or closed). Some 
patches in the queue require more careful review before being merged.


--

Talked about community server upgrade. Mattock plans to migrate the 
current (somewhat outdated) community servers to the new VPC, then 
upgrade them one by one.


--

Talked about new production buildbot. It is now email notification 
capable. It was agreed to make it send build failures and other 
notifications to the openvpn-builds mailing list.


Potentially it could be configured to notify "projects owners" as well 
if we wanted that.


--

Full chatlog attached
(11.24.21) mattock: meeting time almost here
(11.26.59) MaxF [~m...@cust-95-128-91-242.breedbanddelft.nl] è entrato nella 
stanza.
(11.30.46) novaflash [~novafl...@185-227-75-241.dsl.cambrium.nl] è entrato 
nella stanza.
(11.32.45) mattock: anyone here?
(11.32.57) dazo: yupp!
(11.32.58) novaflash: no
(11.33.02) cron2: meow
(11.33.05) MaxF: not me!
(11.33.34) novaflash: hey cron2 - did i neglect to send you my address in 
regards to distribution of t-shirts?
(11.34.26) d12fk: also here mattock
(11.34.37) cron2: no, but after it took weeks to get the addresses, I got too 
busy otherwise... so sorry, t-shirts still sitting here.
(11.34.43) ***cron2 feeling embarrassed
(11.35.01) novaflash: ah okay. so it's not my fault.
(11.35.15) novaflash: we still didn't get ipv6
(11.35.16) cron2: *this* is all my fault.  Everything else can be your fault 
today :-)
(11.35.18) ***novaflash feeling embarrassed
(11.35.38) d12fk: btw, closed the --dns PR on github manually, didn't autoclose 
b/c of the formatting changes by cron2
(11.36.01) novaflash: okay, i already managed to deflect some blame onto dazo 
yesterday, so i'm ready to take on more today.
(11.36.08) cron2: github autodetects merged patches, even if no reference to 
the PR in the commit message?
(11.36.34) d12fk: git can do that
(11.36.55) d12fk: iff the sha is the same
(11.37.29) d12fk: this time it just showed conflicts with master wy on the 
bottom
(11.37.48) cron2: well, yeah, that's the uncrustification
(11.38.01) cron2: d12fk: but that's good to know
(11.40.17) mattock: maybe novaflash can mention the potential workaround/fix to 
the IPv6 dilemma?
(11.40.28) novaflash: oh yeah
(11.40.37) novaflash: you can set a different nameserver per subdomain
(11.40.56) mattock: https://community.openvpn.net/openvpn/wiki/Topics-2022-03-30
(11.41.03) novaflash: so we can run another nameserver for community stuff and 
assign the subdomains to that nameserver so it can do ipv4 and ipv6 without 
affecting the rest of the openvpn.net domain's dns settings
(11.41.15) cron2 ha scelto come argomento: 
https://community.openvpn.net/openvpn/wiki/Topics-2022-03-30
(11.41.23) novaflash: which, if i understand the situation correctly, can be a 
workaround/solution, at least until the time the company does ipv6 on the whole 
domain.
(11.41.56) cron2: that sounds like a way forward for community :-) - and way 
backward for corp ("we have solved what Gert is complaing about, so we do not 
need to fix the actual thing")
(11.42.01) mattock: "until the time" could be years from now, so I think this 
is a reasonable hack
(11.42.39) cron2: I'm fine if I have IPv6 on everything I want to access 
regularily...
(11.43.06) novaflash: does your fridge have ipv6?
(11.43.31) cron2: it has no network connection
(11.43.42) novaflash: but then how will you access it..
(11.43.46) mattock: I will get worried when they start selling axes that have 
IPv6
(11.44.12) mattock: anyhow
(11.44.22) mattock: novaflash: did you do a PoC about this subdomain thing?
(11.44.28) novaflash: no
(11.44.33) novaflash: but it's trivial to try one
(11.44.42) cron2: novaflash: I walk into the

Re: [Openvpn-devel] [PATCH] Retain CAP_NET_ADMIN when dropping privileges

2022-03-30 Thread David Sommerseth 

On 30/03/2022 10:51, David Sommerseth wrote:

On 29/03/2022 21:29, Timo Rothenpieler wrote:

---
This patch sits on top of the current dco branch, and will not apply to
latest master.

It solves the issue of dropping root privileges breaking dco and sitnl
due to missing NET_ADMIN capabilities.


  configure.ac   |  3 ++
  src/openvpn/init.c | 22 +-
  src/openvpn/platform.c | 65 +-
  src/openvpn/platform.h |  2 +-
  4 files changed, 89 insertions(+), 3 deletions(-)



Thanks a lot!  I've quickly looked through the code, and I have to NAK 
this approach:



+#ifdef HAVE_LINUX_CAPABILITIES
+#define SET_CAP_HELPER(data, set, cap) data[(cap)>>5].set |= 
1<<((cap)&31)

+
+static bool
+do_keep_caps(bool prepare)
+{
+    struct __user_cap_header_struct cap_hdr = { 
_LINUX_CAPABILITY_VERSION_3 };
+    struct __user_cap_data_struct cap_data[_LINUX_CAPABILITY_U32S_3] 
= {};

+
+    if (syscall(SYS_capget, _hdr, cap_data) < 0)


We should really use libcap or libcap-ng and not avoid using syscalls 
directly.


This did not come out well.  Sorry about that.

We should really avoid using syscalls directly, as that binds us to 
certain APIs and bindings.


Newer kernels may also require additional adjustments in the future, to 
preserve the same behaviour.  Which means we need to maintain this code 
and also pay more attention to the security aspects of privilege 
management, like new vulnerabilities and exploits.


The libcap or libcap-ng libraries are used by far more applications, 
doing similar privilege management - and these libraries already pay 
attention to the security aspects of new vulnerabilities and exploits. 
The libcap-ng library is also recommended by more developers, due to its 
simpler API.


It is possible to argue that sitnl does low-level calls to the kernel as 
well.  But potential libraries had an API which was making everything 
far more complex on the OpenVPN side.  For libcap-ng at least, that is 
not the case; as the API it provides is pretty simple.


I have used libcap-ng in openvpn3-linux, both for preserving 
capabilities and dropping root.  It does all the right steps fairly easily.


The configure.ac detection, which for OpenVPN 2.x can be restricted when 
DCO is going to be built into openvpn:



The code for preserving capabilities:
 



And the code for dropping root, ensuring the capabilities are restricted 
properly:
 




--
kind regards,

David Sommerseth
OpenVPN Inc



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH] Retain CAP_NET_ADMIN when dropping privileges

2022-03-30 Thread David Sommerseth 

On 29/03/2022 21:29, Timo Rothenpieler wrote:

---
This patch sits on top of the current dco branch, and will not apply to
latest master.

It solves the issue of dropping root privileges breaking dco and sitnl
due to missing NET_ADMIN capabilities.


  configure.ac   |  3 ++
  src/openvpn/init.c | 22 +-
  src/openvpn/platform.c | 65 +-
  src/openvpn/platform.h |  2 +-
  4 files changed, 89 insertions(+), 3 deletions(-)



Thanks a lot!  I've quickly looked through the code, and I have to NAK 
this approach:



+#ifdef HAVE_LINUX_CAPABILITIES
+#define SET_CAP_HELPER(data, set, cap) data[(cap)>>5].set |= 1<<((cap)&31)
+
+static bool
+do_keep_caps(bool prepare)
+{
+struct __user_cap_header_struct cap_hdr = { _LINUX_CAPABILITY_VERSION_3 };
+struct __user_cap_data_struct cap_data[_LINUX_CAPABILITY_U32S_3] = {};
+
+if (syscall(SYS_capget, _hdr, cap_data) < 0)


We should really use libcap or libcap-ng and not avoid using syscalls 
directly.


I have used libcap-ng in openvpn3-linux, both for preserving 
capabilities and dropping root.  It does all the right steps fairly easily.


The configure.ac detection, which for OpenVPN 2.x can be restricted when 
DCO is going to be built into openvpn:



The code for preserving capabilities:


And the code for dropping root, ensuring the capabilities are restricted 
properly:




--
kind regards,

David Sommerseth
OpenVPN Inc



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel