mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2024-10-30 01:43:23 +00:00
Reduce LXC capabilities
This commit is contained in:
parent
96619805cb
commit
eb6d21cc0e
@ -1,3 +1,12 @@
|
|||||||
|
Mon Jun 29 18:01:20 BST 2009 Daniel P. Berrange <berrange@redhat.com>
|
||||||
|
|
||||||
|
Reduce LXC capabilities
|
||||||
|
* src/lxc_container.c: Use libcap-ng to clear capabilities,
|
||||||
|
and also drop SYS_MODULE, SYS_TIME, AUDIT_CONTROL, and
|
||||||
|
MAC_ADMIN, in addition to SYS_BOOT.
|
||||||
|
* src/lxc_controller.c: Drop all capabilities once container
|
||||||
|
has been spawned.
|
||||||
|
|
||||||
Mon Jun 29 12:48:20 BST 2009 Daniel P. Berrange <berrange@redhat.com>
|
Mon Jun 29 12:48:20 BST 2009 Daniel P. Berrange <berrange@redhat.com>
|
||||||
|
|
||||||
Use libcap-ng to clear capabilities for many child processes
|
Use libcap-ng to clear capabilities for many child processes
|
||||||
|
@ -41,8 +41,9 @@
|
|||||||
/* For MS_MOVE */
|
/* For MS_MOVE */
|
||||||
#include <linux/fs.h>
|
#include <linux/fs.h>
|
||||||
|
|
||||||
#include <sys/prctl.h>
|
#if HAVE_CAPNG
|
||||||
#include <linux/capability.h>
|
#include <cap-ng.h>
|
||||||
|
#endif
|
||||||
|
|
||||||
#include "virterror_internal.h"
|
#include "virterror_internal.h"
|
||||||
#include "logging.h"
|
#include "logging.h"
|
||||||
@ -642,27 +643,48 @@ static int lxcContainerSetupMounts(virDomainDefPtr vmDef,
|
|||||||
return lxcContainerSetupExtraMounts(vmDef);
|
return lxcContainerSetupExtraMounts(vmDef);
|
||||||
}
|
}
|
||||||
|
|
||||||
static int lxcContainerDropCapabilities(virDomainDefPtr vmDef ATTRIBUTE_UNUSED)
|
|
||||||
{
|
|
||||||
#ifdef PR_CAPBSET_DROP
|
|
||||||
int i;
|
|
||||||
const struct {
|
|
||||||
int id;
|
|
||||||
const char *name;
|
|
||||||
} caps[] = {
|
|
||||||
#define ID_STRING(name) name, #name
|
|
||||||
{ ID_STRING(CAP_SYS_BOOT) },
|
|
||||||
};
|
|
||||||
|
|
||||||
for (i = 0 ; i < ARRAY_CARDINALITY(caps) ; i++) {
|
/*
|
||||||
if (prctl(PR_CAPBSET_DROP, caps[i].id, 0, 0, 0)) {
|
* This is running as the 'init' process insid the container.
|
||||||
|
* It removes some capabilities that could be dangerous to
|
||||||
|
* host system, since they are not currently "containerized"
|
||||||
|
*/
|
||||||
|
static int lxcContainerDropCapabilities(void)
|
||||||
|
{
|
||||||
|
#if HAVE_CAPNG
|
||||||
|
int ret;
|
||||||
|
|
||||||
|
capng_get_caps_process();
|
||||||
|
|
||||||
|
if ((ret = capng_updatev(CAPNG_DROP,
|
||||||
|
CAPNG_EFFECTIVE | CAPNG_PERMITTED |
|
||||||
|
CAPNG_INHERITABLE | CAPNG_BOUNDING_SET,
|
||||||
|
CAP_SYS_BOOT, /* No use of reboot */
|
||||||
|
CAP_SYS_MODULE, /* No kernel module loading */
|
||||||
|
CAP_SYS_TIME, /* No changing the clock */
|
||||||
|
CAP_AUDIT_CONTROL, /* No messing with auditing status */
|
||||||
|
CAP_MAC_ADMIN, /* No messing with LSM config */
|
||||||
|
-1 /* sentinal */)) < 0) {
|
||||||
lxcError(NULL, NULL, VIR_ERR_INTERNAL_ERROR,
|
lxcError(NULL, NULL, VIR_ERR_INTERNAL_ERROR,
|
||||||
_("failed to drop %s"), caps[i].name);
|
_("failed to remove capabilities %d"), ret);
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if ((ret = capng_apply(CAPNG_SELECT_BOTH)) < 0) {
|
||||||
|
lxcError(NULL, NULL, VIR_ERR_INTERNAL_ERROR,
|
||||||
|
_("failed to apply capabilities: %d"), ret);
|
||||||
|
return -1;
|
||||||
}
|
}
|
||||||
#else /* ! PR_CAPBSET_DROP */
|
|
||||||
VIR_WARN0(_("failed to drop capabilities PR_CAPBSET_DROP undefined"));
|
/* Need to prevent them regaining any caps on exec */
|
||||||
|
if ((ret = capng_lock()) < 0) {
|
||||||
|
lxcError(NULL, NULL, VIR_ERR_INTERNAL_ERROR,
|
||||||
|
_("failed to lock capabilities: %d"), ret);
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
|
||||||
|
#else
|
||||||
|
VIR_WARN0(_("libcap-ng support not compiled in, unable to clear capabilities"));
|
||||||
#endif
|
#endif
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
@ -735,7 +757,7 @@ static int lxcContainerChild( void *data )
|
|||||||
return -1;
|
return -1;
|
||||||
|
|
||||||
/* drop a set of root capabilities */
|
/* drop a set of root capabilities */
|
||||||
if (lxcContainerDropCapabilities(vmDef) < 0)
|
if (lxcContainerDropCapabilities() < 0)
|
||||||
return -1;
|
return -1;
|
||||||
|
|
||||||
/* this function will only return if an error occured */
|
/* this function will only return if an error occured */
|
||||||
|
@ -35,6 +35,10 @@
|
|||||||
#include <getopt.h>
|
#include <getopt.h>
|
||||||
#include <sys/mount.h>
|
#include <sys/mount.h>
|
||||||
|
|
||||||
|
#if HAVE_CAPNG
|
||||||
|
#include <cap-ng.h>
|
||||||
|
#endif
|
||||||
|
|
||||||
#include "virterror_internal.h"
|
#include "virterror_internal.h"
|
||||||
#include "logging.h"
|
#include "logging.h"
|
||||||
#include "util.h"
|
#include "util.h"
|
||||||
@ -210,6 +214,25 @@ cleanup:
|
|||||||
return rc;
|
return rc;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
static int lxcControllerClearCapabilities(void)
|
||||||
|
{
|
||||||
|
#if HAVE_CAPNG
|
||||||
|
int ret;
|
||||||
|
|
||||||
|
capng_clear(CAPNG_SELECT_BOTH);
|
||||||
|
|
||||||
|
if ((ret = capng_apply(CAPNG_SELECT_BOTH)) < 0) {
|
||||||
|
lxcError(NULL, NULL, VIR_ERR_INTERNAL_ERROR,
|
||||||
|
_("failed to apply capabilities: %d"), ret);
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
#else
|
||||||
|
VIR_WARN0(_("libcap-ng support not compiled in, unable to clear capabilities"));
|
||||||
|
#endif
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
typedef struct _lxcTtyForwardFd_t {
|
typedef struct _lxcTtyForwardFd_t {
|
||||||
int fd;
|
int fd;
|
||||||
int active;
|
int active;
|
||||||
@ -562,6 +585,11 @@ lxcControllerRun(virDomainDefPtr def,
|
|||||||
if (lxcContainerSendContinue(control[0]) < 0)
|
if (lxcContainerSendContinue(control[0]) < 0)
|
||||||
goto cleanup;
|
goto cleanup;
|
||||||
|
|
||||||
|
/* Now the container is running, there's no need for us to keep
|
||||||
|
any elevated capabilities */
|
||||||
|
if (lxcControllerClearCapabilities() < 0)
|
||||||
|
goto cleanup;
|
||||||
|
|
||||||
rc = lxcControllerMain(monitor, client, appPty, containerPty);
|
rc = lxcControllerMain(monitor, client, appPty, containerPty);
|
||||||
|
|
||||||
cleanup:
|
cleanup:
|
||||||
|
Loading…
Reference in New Issue
Block a user