Reduce LXC capabilities

eb6d21cc · Daniel P. Berrange · 96619805 · eb6d21cc · eb6d21cc · eb6d21cc
隐藏空白更改
内联并排

Showing with 80 addition and 21 deletion

ChangeLog ChangeLog +9 -0

src/lxc_container.c src/lxc_container.c +43 -21

src/lxc_controller.c src/lxc_controller.c +28 -0

未找到文件。
--- a/ChangeLog
+++ b/ChangeLog
+Mon Jun 29 18:01:20 BST 2009 Daniel P. Berrange <berrange@redhat.com>
+	Reduce LXC capabilities
+	* src/lxc_container.c: Use libcap-ng to clear capabilities,
+	and also drop SYS_MODULE, SYS_TIME, AUDIT_CONTROL, and
+	MAC_ADMIN, in addition to SYS_BOOT.
+	* src/lxc_controller.c: Drop all capabilities once container
+	has been spawned.
 Mon Jun 29 12:48:20 BST 2009 Daniel P. Berrange <berrange@redhat.com>
 	Use libcap-ng to clear capabilities for many child processes

--- a/src/lxc_container.c
+++ b/src/lxc_container.c
@@ -41,8 +41,9 @@
 /* For MS_MOVE */
 #include <linux/fs.h>
-#include <sys/prctl.h>
+#if HAVE_CAPNG
-#include <linux/capability.h>
+#include <cap-ng.h>
+#endif
 #include "virterror_internal.h"
 #include "logging.h"
@@ -642,27 +643,48 @@ static int lxcContainerSetupMounts(virDomainDefPtr vmDef,
        return lxcContainerSetupExtraMounts(vmDef);
 }
-static int lxcContainerDropCapabilities(virDomainDefPtr vmDef ATTRIBUTE_UNUSED)
+/*
+ * This is running as the 'init' process insid the container.
+ * It removes some capabilities that could be dangerous to
+ * host system, since they are not currently "containerized"
+ */
+static int lxcContainerDropCapabilities(void)
 {
-#ifdef PR_CAPBSET_DROP
+#if HAVE_CAPNG
-    int i;
+    int ret;
-    const struct {
-        int id;
+    capng_get_caps_process();
-        const char *name;
-    } caps[] = {
+    if ((ret = capng_updatev(CAPNG_DROP,
-#define ID_STRING(name) name, #name
+                             CAPNG_EFFECTIVE | CAPNG_PERMITTED |
-        { ID_STRING(CAP_SYS_BOOT) },
+                             CAPNG_INHERITABLE | CAPNG_BOUNDING_SET,
-    };
+                             CAP_SYS_BOOT, /* No use of reboot */
+                             CAP_SYS_MODULE, /* No kernel module loading */
+                             CAP_SYS_TIME, /* No changing the clock */
+                             CAP_AUDIT_CONTROL, /* No messing with auditing status */
+                             CAP_MAC_ADMIN, /* No messing with LSM config */
+                             -1 /* sentinal */)) < 0) {
+        lxcError(NULL, NULL, VIR_ERR_INTERNAL_ERROR,
+                 _("failed to remove capabilities %d"), ret);
+        return -1;
+    }
-    for (i = 0 ; i < ARRAY_CARDINALITY(caps) ; i++) {
+    if ((ret = capng_apply(CAPNG_SELECT_BOTH)) < 0) {
-        if (prctl(PR_CAPBSET_DROP, caps[i].id, 0, 0, 0)) {
+        lxcError(NULL, NULL, VIR_ERR_INTERNAL_ERROR,
-            lxcError(NULL, NULL, VIR_ERR_INTERNAL_ERROR,
+                 _("failed to apply capabilities: %d"), ret);
-                     _("failed to drop %s"), caps[i].name);
+        return -1;
-            return -1;
-        }
    }
-#else /* ! PR_CAPBSET_DROP */
-    VIR_WARN0(_("failed to drop capabilities PR_CAPBSET_DROP undefined"));
+    /* Need to prevent them regaining any caps on exec */
+    if ((ret = capng_lock()) < 0) {
+        lxcError(NULL, NULL, VIR_ERR_INTERNAL_ERROR,
+                 _("failed to lock capabilities: %d"), ret);
+        return -1;
+    }
+#else
+    VIR_WARN0(_("libcap-ng support not compiled in, unable to clear capabilities"));
 #endif
    return 0;
 }
@@ -735,7 +757,7 @@ static int lxcContainerChild( void *data )
        return -1;
    /* drop a set of root capabilities */
-    if (lxcContainerDropCapabilities(vmDef) < 0)
+    if (lxcContainerDropCapabilities() < 0)
        return -1;
    /* this function will only return if an error occured */

--- a/src/lxc_controller.c
+++ b/src/lxc_controller.c
@@ -35,6 +35,10 @@
 #include <getopt.h>
 #include <sys/mount.h>
+#if HAVE_CAPNG
+#include <cap-ng.h>
+#endif
 #include "virterror_internal.h"
 #include "logging.h"
 #include "util.h"
@@ -210,6 +214,25 @@ cleanup:
    return rc;
 }
+static int lxcControllerClearCapabilities(void)
+{
+#if HAVE_CAPNG
+    int ret;
+    capng_clear(CAPNG_SELECT_BOTH);
+    if ((ret = capng_apply(CAPNG_SELECT_BOTH)) < 0) {
+        lxcError(NULL, NULL, VIR_ERR_INTERNAL_ERROR,
+                 _("failed to apply capabilities: %d"), ret);
+        return -1;
+    }
+#else
+    VIR_WARN0(_("libcap-ng support not compiled in, unable to clear capabilities"));
+#endif
+    return 0;
+}
 typedef struct _lxcTtyForwardFd_t {
    int fd;
    int active;
@@ -562,6 +585,11 @@ lxcControllerRun(virDomainDefPtr def,
    if (lxcContainerSendContinue(control[0]) < 0)
        goto cleanup;
+    /* Now the container is running, there's no need for us to keep
+       any elevated capabilities */
+    if (lxcControllerClearCapabilities() < 0)
+        goto cleanup;
    rc = lxcControllerMain(monitor, client, appPty, containerPty);
 cleanup: