[PATCH 1/1] RFC: taking a crack at targeted capabilities

Eric W. Biederman ebiederm at xmission.com
Wed Jan 6 07:44:23 PST 2010


"Serge E. Hallyn" <serue at us.ibm.com> writes:

> So i was thinking about how to safely but incrementally introduce
> targeted capabilities - which we decided was a prereq to making VFS
> handle user namespaces - and the following seemed doable.  My main
> motivations were (in order):
>
>         1. don't make any unconverted capable() checks unsafe
>         2. minimize performance impact on non-container case
>         3. minimize performance impact on containers
>
> This patch adds a per-task inherited securebit SECURE_CONTAINERIZED.
> The capable() call is considered unconverted.  Therefore any call
> to capable() by a task which is SECURE_CONTAINERIZED returns -EPERM.
>
> A new syscall capable_to() is the container-aware version of capable().
>
> int capable_to(int cap, enum ns_type type, void *src, void *dest);
>
> meaning a task which owns 'src' wants 'cap' access to an object
> in namespace 'dest'.
>
> In a case like setting hostname, there is no way to try to set the
> hostname in another container, so the check is converted in this patch to
>
>         capable_to(CAP_SYS_ADMIN, NS_TYPE_NONE, NULL, NULL);
>
> capable_to() will act like the old capable(), meaning grant permission
> if CAP_SYS_ADMIN is in pE.
>
> The check for sending a signal depends on a user namespace, so I
> converted an instance to
>
>         capable_to(CAP_KILL, NS_TYPE_USERNS, current_userns(),
>                         target->user_ns);
>
> The NS_TYPE_USERNS check checks whether target->userns is the same
> as or a descendent of target->user_ns.  If not, then -EPERM is
> returned even if the task has CAP_KILL.
>
> To test, compile a program (call it 'containerize_cap') that does
>
> 	prctl(PR_SET_SECUREBITS, 1 << 6 | 1 << 7);
> 	execl("/bin/bash", "bash", NULL);
>
> Run that in a container (say, do 'ns_exec -cmpuU /bin/bash' and
> run screen there).  Notice you can set hostname, but you can't
> for instance read user's directories which don't have world write
> perms, and can't mount.  You can also kill processes which are
> either in your own or a child user namespace, but not in a parent
> user namespace.
>
> Purely for discussion.  Comments?

This looks like a good start of discussion, and you have
choosen two good examples.

I believe your check for ancestor user namespaces is actually
too liberal, I can't quite follow it but it looks like any
process in an ancestor user namespace has all rights over
a child, which would let fred kill joe's processes..

I think we can use a much simpler definition, based on the core
concept that we are making the capabilities namespace relative,
thus we need to pass in which namespace we want the capability for.

	/* Put in kernel/capability.c */
	int capable(int cap)
	{
	        return capable_to(&init_user_ns, cap);
	}
	
	int capable_to(struct user_namespace *ns, int cap)
	{
	        if (unlikely(!cap_valid(cap))) {
			printk(KERN_CRIT "capable() called with invalid cap=%u\n", cap);
			BUG();
	        }
	        
	        if (security_capable(ns, cap) == 0) {
	        	current->flags |= PF_SUPERPRIV;
	                return 1;
	        }
	        return 0;
	}
	
	/* Put in security/common_cap.c */
	int cap_capable(struct task_struct *tsk, const cred *cred,
	    		struct user_namespace *targ_ns, int targ_cap, int audit)
	{
	        struct user_namespace *curr_ns = cred->user->user_ns
	
	        for (;;) {
	        	/* Do we have the necessary capabilities? */
		        if (targ_ns == curr_ns)
				return cap_raised(cred->cap_effective, cap) ? 0 : -EPERM;
	
			/* The creator of the user namespace has all caps. */
			if (targ_ns->creator == cred->user)
				return 0;
	
			/* Have we tried all of the parent namespaces? */
			if (targ_ns == &init_user_ns)
				return -EPERM;
	
			/* If you have the capability in a parent user ns you have it
	                 * in the over all children user namespaces as well, so see
	                 * if this process has the capability in the parent user
	                 * namespace.
	                 */
			targ_ns = targ_ns->creator->user_ns;
		}
	
	        /* We never get here */
		return -EPERM;                
	}


The example in check_kill_permission simply becomes:
	capable_to(tcred->user->user_ns, CAP_KILL);

While the check in hostname remains unchanged until we convert teach
the userns to unshare without privilege.  At which point the check should
become.
	capable_to(utsname()->creator->user_ns, CAP_SYS_ADMIN);

Which matters because we can set the hostname through /proc/sys....

Eric


More information about the Containers mailing list