@@ -194,6 +194,7 @@ vnc_tls=""
vnc_sasl=""
xen=""
linux_aio=""
+cap=""
gprof="no"
debug_tcg="no"
@@ -480,6 +481,10 @@ for opt do
;;
--enable-kvm) kvm="yes"
;;
+ --disable-cap) cap="no"
+ ;;
+ --enable-cap) cap="yes"
+ ;;
--enable-profiler) profiler="yes"
;;
--enable-cocoa)
@@ -710,6 +715,8 @@ echo " --disable-vde disable support for vde network"
echo " --enable-vde enable support for vde network"
echo " --disable-linux-aio disable Linux AIO support"
echo " --enable-linux-aio enable Linux AIO support"
+echo " --disable-libcap disable support for libcap"
+echo " --enable-libcap enable support for libcap"
echo " --enable-io-thread enable IO thread"
echo " --disable-blobs disable installing provided firmware blobs"
echo " --kerneldir=PATH look for kernel includes in PATH"
@@ -1108,6 +1115,29 @@ EOF
fi
##########################################
+# cap library probe
+if test "$cap" != "no" ; then
+ cap_libs="-lcap"
+ cat > $TMPC << EOF
+#include <sys/capability.h>
+int main(void)
+{
+ cap_init();
+ return 0;
+}
+EOF
+ if compile_prog "" "$cap_libs" ; then
+ cap=yes
+ libs_tools="$cap_libs $libs_tools"
+ else
+ if test "$cap" = "yes" ; then
+ feature_not_found "cap"
+ fi
+ cap=no
+ fi
+fi
+
+##########################################
# Sound support libraries probe
audio_drv_probe()
@@ -1850,6 +1880,7 @@ echo "fdt support $fdt"
echo "preadv support $preadv"
echo "fdatasync $fdatasync"
echo "uuid support $uuid"
+echo "libcap support $cap"
if test $sdl_too_old = "yes"; then
echo "-> Your SDL version is too old - please upgrade to have SDL support"
@@ -1931,6 +1962,9 @@ fi
if test "$vde" = "yes" ; then
echo "CONFIG_VDE=y" >> $config_host_mak
fi
+if test "$cap" = "yes" ; then
+ echo "CONFIG_LIBCAP=y" >> $config_host_mak
+fi
for card in $audio_card_list; do
def=CONFIG_`echo $card | tr '[:lower:]' '[:upper:]'`
echo "$def=y" >> $config_host_mak
@@ -33,6 +33,10 @@
#include "net/tap-linux.h"
+#ifdef CONFIG_LIBCAP
+#include <sys/capability.h>
+#endif
+
#define MAX_ACLS (128)
#define DEFAULT_ACL_FILE CONFIG_QEMU_CONFDIR "/bridge.conf"
@@ -186,6 +190,47 @@ static int send_fd(int c, int fd)
return sendmsg(c, &msg, 0);
}
+#ifdef CONFIG_LIBCAP
+static int drop_privileges(void)
+{
+ cap_t cap;
+ cap_value_t new_caps[] = {CAP_NET_ADMIN};
+
+ cap = cap_init();
+
+ /* set capabilities to be permitted and inheritable. we don't need the
+ * caps to be effective right now as they'll get reset when we seteuid
+ * anyway */
+ cap_set_flag(cap, CAP_PERMITTED, 1, new_caps, CAP_SET);
+ cap_set_flag(cap, CAP_INHERITABLE, 1, new_caps, CAP_SET);
+
+ if (cap_set_proc(cap) == -1) {
+ return -1;
+ }
+
+ cap_free(cap);
+
+ /* reduce our privileges to a normal user */
+ setegid(getgid());
+ seteuid(getuid());
+
+ cap = cap_init();
+
+ /* enable the our capabilities. we marked them as inheritable earlier
+ * which is what allows this to work. */
+ cap_set_flag(cap, CAP_EFFECTIVE, 1, new_caps, CAP_SET);
+ cap_set_flag(cap, CAP_PERMITTED, 1, new_caps, CAP_SET);
+
+ if (cap_set_proc(cap) == -1) {
+ return -1;
+ }
+
+ cap_free(cap);
+
+ return 0;
+}
+#endif
+
int main(int argc, char **argv)
{
struct ifreq ifr;
@@ -199,6 +244,17 @@ int main(int argc, char **argv)
int acl_count = 0;
int i, access_allowed;
+#ifdef CONFIG_LIBCAP
+ /* if we're run from an suid binary, immediately drop privileges preserving
+ * cap_net_admin */
+ if (geteuid() == 0 && getuid() != geteuid()) {
+ if (drop_privileges() == -1) {
+ fprintf(stderr, "failed to drop privileges\n");
+ return 1;
+ }
+ }
+#endif
+
/* parse arguments */
if (argc < 3 || argc > 4) {
fprintf(stderr, "Usage: %s [--use-vnet] BRIDGE FD\n", argv[0]);
The ideal way to use qemu-bridge-helper is to give it an fscap of using: setcap cap_net_admin=ep qemu-bridge-helper Unfortunately, most distros still do not have a mechanism to package files with fscaps applied. This means they'll have to SUID the qemu-bridge-helper binary. To improve security, use libcap to reduce our capability set to just cap_net_admin, then reduce privileges down to the calling user. This is hopefully close to equivalent to fscap support from a security perspective. Signed-off-by: Anthony Liguori <aliguori@us.ibm.com> --- configure | 34 ++++++++++++++++++++++++++++++ qemu-bridge-helper.c | 56 ++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 90 insertions(+), 0 deletions(-)