Interaction user namespace, /proc/1 ownership & cap_set
Daniel P. Berrange
berrange at redhat.com
Fri Jul 12 10:04:20 UTC 2013
On Tue, Jul 02, 2013 at 10:12:34AM -0700, Eric W. Biederman wrote:
> "Daniel P. Berrange" <berrange at redhat.com> writes:
>
> > Ah, yes, that would explain it. My demo is removing the SYS_MODULE
> > capability, and then exec'ing the shell binary. Since we are uid==0,
> > and prctl(PR_CAPBSET_DROP) is not available inside the user namespace,
> > the rules for capabilities vs execve() call will cause the shell
> > binary to regain SYS_MODULE capability bit.
> >
> > So the problem I'm seeing in libvirt is all a result of the fact
> > that we can't use PR_CAPBSET_DROP inside the user namespace. Given
> > that there's no point trying to drop any capabilities inside the
> > user namespace.
> >
> > The only slight problem here is that we want to drop CAP_MKNOD so
> > that systemd can detect that it shouldn't attempt to run any units
> > which would rely on mknod.
>
> I just looked at that and I don't see a justification for the
> restriciton.
>
> Could you try the patch below and see if it fixes things for you?
>
> Eric
>
>
> From: "Eric W. Biederman" <ebiederm at xmission.com>
> Date: Tue, 2 Jul 2013 10:04:54 -0700
> Subject: [PATCH] userns: Allow PR_CAPBSET_DROP in a user namespace.
>
> As the capabilites and capability bounding set are per user namespace
> properties it is safe to allow changing them with just CAP_SETPCAP
> permission in the user namespace.
>
> Signed-off-by: "Eric W. Biederman" <ebiederm at xmission.com>
> ---
> security/commoncap.c | 2 +-
> 1 files changed, 1 insertions(+), 1 deletions(-)
>
> diff --git a/security/commoncap.c b/security/commoncap.c
> index 4d787e6..fd9b08f 100644
> --- a/security/commoncap.c
> +++ b/security/commoncap.c
> @@ -843,7 +843,7 @@ int cap_task_setnice(struct task_struct *p, int nice)
> */
> static long cap_prctl_drop(struct cred *new, unsigned long cap)
> {
> - if (!capable(CAP_SETPCAP))
> + if (!ns_capable(current_user_ns(), CAP_SETPCAP))
> return -EPERM;
> if (!cap_valid(cap))
> return -EINVAL;
Yes, that works in my testing with libvirt. Feel free to add
Tested-by: Daniel P. Berrange <berrange at redhat.com>
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
More information about the Containers
mailing list