From fe03d58621035a8598c2c2797603233bc930e6e8 Mon Sep 17 00:00:00 2001 From: Laine Stump Date: Wed, 13 Mar 2013 15:26:35 -0400 Subject: [PATCH] util: fix clear_emulator_capabilities=0 My commit 7a2e845a865dc7fa82d2393ea2a770cfc8cf00b4 (and its prerequisites) managed to effectively ignore the clear_emulator_capabilities setting in qemu.conf (visible in the code as the VIR_EXEC_CLEAR_CAPS flag when qemu is being exec'ed), with the result that the capabilities are always cleared regardless of the qemu.conf setting. This patch fixes it by passing the flag through to virSetUIDGIDWithCaps(), which uses it to decide whether or not to clear existing capabilities before adding in those that were requested. Note that the existing capabilities are *always* cleared if the new process is going to run as non-root, since the whole point of running non-root is to have the capabilities removed (it's still possible to maintain individual capabilities as needed using the capBits argument though). (cherry picked from commit 2639c6320647778c1496008058dde57dfca35b92) --- src/util/vircommand.c | 4 +++- src/util/virutil.c | 16 ++++++++++------ src/util/virutil.h | 3 ++- 3 files changed, 15 insertions(+), 8 deletions(-) diff --git a/src/util/vircommand.c b/src/util/vircommand.c index f672101f22..ac56a638a8 100644 --- a/src/util/vircommand.c +++ b/src/util/vircommand.c @@ -639,8 +639,10 @@ virExec(virCommandPtr cmd) cmd->capabilities || (cmd->flags & VIR_EXEC_CLEAR_CAPS)) { VIR_DEBUG("Setting child uid:gid to %d:%d with caps %llx", (int)cmd->uid, (int)cmd->gid, cmd->capabilities); - if (virSetUIDGIDWithCaps(cmd->uid, cmd->gid, cmd->capabilities) < 0) + if (virSetUIDGIDWithCaps(cmd->uid, cmd->gid, cmd->capabilities, + !!(cmd->flags & VIR_EXEC_CLEAR_CAPS)) < 0) { goto fork_error; + } } if (cmd->pwd) { diff --git a/src/util/virutil.c b/src/util/virutil.c index 4605c78ca7..a0d15302dc 100644 --- a/src/util/virutil.c +++ b/src/util/virutil.c @@ -2998,18 +2998,21 @@ virGetGroupName(gid_t gid ATTRIBUTE_UNUSED) * errno). */ int -virSetUIDGIDWithCaps(uid_t uid, gid_t gid, unsigned long long capBits) +virSetUIDGIDWithCaps(uid_t uid, gid_t gid, unsigned long long capBits, + bool clearExistingCaps) { int ii, capng_ret, ret = -1; bool need_setgid = false, need_setuid = false; bool need_prctl = false, need_setpcap = false; - /* First drop all caps except those in capBits + the extra ones we - * need to change uid/gid and change the capabilities bounding - * set. + /* First drop all caps (unless the requested uid is "unchanged" or + * root and clearExistingCaps wasn't requested), then add back + * those in capBits + the extra ones we need to change uid/gid and + * change the capabilities bounding set. */ - capng_clear(CAPNG_SELECT_BOTH); + if (clearExistingCaps || (uid != -1 && uid != 0)) + capng_clear(CAPNG_SELECT_BOTH); for (ii = 0; ii <= CAP_LAST_CAP; ii++) { if (capBits & (1ULL << ii)) { @@ -3095,7 +3098,8 @@ cleanup: int virSetUIDGIDWithCaps(uid_t uid, gid_t gid, - unsigned long long capBits ATTRIBUTE_UNUSED) + unsigned long long capBits ATTRIBUTE_UNUSED, + bool clearExistingCaps ATTRIBUTE_UNUSED) { return virSetUIDGID(uid, gid); } diff --git a/src/util/virutil.h b/src/util/virutil.h index 2dc3403821..665ad78edd 100644 --- a/src/util/virutil.h +++ b/src/util/virutil.h @@ -54,7 +54,8 @@ int virPipeReadUntilEOF(int outfd, int errfd, char **outbuf, char **errbuf); int virSetUIDGID(uid_t uid, gid_t gid); -int virSetUIDGIDWithCaps(uid_t uid, gid_t gid, unsigned long long capBits); +int virSetUIDGIDWithCaps(uid_t uid, gid_t gid, unsigned long long capBits, + bool clearExistingCaps); int virFileReadLimFD(int fd, int maxlen, char **buf) ATTRIBUTE_RETURN_CHECK;