From patchwork Wed Nov 4 00:28:04 2009 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Anthony Liguori X-Patchwork-Id: 37544 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.gnu.org (lists.gnu.org [199.232.76.165]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by ozlabs.org (Postfix) with ESMTPS id C7BE9B7B65 for ; Wed, 4 Nov 2009 11:38:58 +1100 (EST) Received: from localhost ([127.0.0.1]:43968 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1N5Tto-0006qq-1a for incoming@patchwork.ozlabs.org; Tue, 03 Nov 2009 19:38:56 -0500 Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43) id 1N5TjZ-00025T-7k for qemu-devel@nongnu.org; Tue, 03 Nov 2009 19:28:21 -0500 Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43) id 1N5TjU-00020o-CQ for qemu-devel@nongnu.org; Tue, 03 Nov 2009 19:28:20 -0500 Received: from [199.232.76.173] (port=55920 helo=monty-python.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1N5TjU-00020d-8q for qemu-devel@nongnu.org; Tue, 03 Nov 2009 19:28:16 -0500 Received: from e4.ny.us.ibm.com ([32.97.182.144]:37732) by monty-python.gnu.org with esmtps (TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.60) (envelope-from ) id 1N5TjT-0006aN-QB for qemu-devel@nongnu.org; Tue, 03 Nov 2009 19:28:16 -0500 Received: from d01relay07.pok.ibm.com (d01relay07.pok.ibm.com [9.56.227.147]) by e4.ny.us.ibm.com (8.14.3/8.13.1) with ESMTP id nA40KCPD013348 for ; Tue, 3 Nov 2009 19:20:12 -0500 Received: from d01av03.pok.ibm.com (d01av03.pok.ibm.com [9.56.224.217]) by d01relay07.pok.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id nA40SED71491156 for ; Tue, 3 Nov 2009 19:28:14 -0500 Received: from d01av03.pok.ibm.com (loopback [127.0.0.1]) by d01av03.pok.ibm.com (8.14.3/8.13.1/NCO v10.0 AVout) with ESMTP id nA3ERKdo014529 for ; Tue, 3 Nov 2009 09:27:20 -0500 Received: from localhost.localdomain (sig-9-76-202-214.mts.ibm.com [9.76.202.214]) by d01av03.pok.ibm.com (8.14.3/8.13.1/NCO v10.0 AVin) with ESMTP id nA3ERCZQ014030; Tue, 3 Nov 2009 09:27:16 -0500 From: Anthony Liguori To: qemu-devel@nongnu.org Date: Tue, 3 Nov 2009 18:28:04 -0600 Message-Id: <1257294485-27015-4-git-send-email-aliguori@us.ibm.com> X-Mailer: git-send-email 1.6.2.5 In-Reply-To: <1257294485-27015-1-git-send-email-aliguori@us.ibm.com> References: <1257294485-27015-1-git-send-email-aliguori@us.ibm.com> X-detected-operating-system: by monty-python.gnu.org: GNU/Linux 2.6, seldom 2.4 (older, 4) Cc: Mark McLoughlin , Anthony Liguori , Arnd Bergmann , Dustin Kirkland , Michael Tsirkin , Juan Quintela Subject: [Qemu-devel] [PATCH 3/4] Add cap reduction support to enable use as SUID binary X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: qemu-devel.nongnu.org List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org The ideal way to use qemu-bridge-helper is to give it an fscap of using: setcap cap_net_admin=ep qemu-bridge-helper Unfortunately, most distros still do not have a mechanism to package files with fscaps applied. This means they'll have to SUID the qemu-bridge-helper binary. To improve security, use libcap to reduce our capability set to just cap_net_admin, then reduce privileges down to the calling user. This is hopefully close to equivalent to fscap support from a security perspective. Signed-off-by: Anthony Liguori --- configure | 34 ++++++++++++++++++++++++++++++ qemu-bridge-helper.c | 56 ++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 90 insertions(+), 0 deletions(-) diff --git a/configure b/configure index 7c98257..7c9d3a2 100755 --- a/configure +++ b/configure @@ -194,6 +194,7 @@ vnc_tls="" vnc_sasl="" xen="" linux_aio="" +cap="" gprof="no" debug_tcg="no" @@ -480,6 +481,10 @@ for opt do ;; --enable-kvm) kvm="yes" ;; + --disable-cap) cap="no" + ;; + --enable-cap) cap="yes" + ;; --enable-profiler) profiler="yes" ;; --enable-cocoa) @@ -710,6 +715,8 @@ echo " --disable-vde disable support for vde network" echo " --enable-vde enable support for vde network" echo " --disable-linux-aio disable Linux AIO support" echo " --enable-linux-aio enable Linux AIO support" +echo " --disable-libcap disable support for libcap" +echo " --enable-libcap enable support for libcap" echo " --enable-io-thread enable IO thread" echo " --disable-blobs disable installing provided firmware blobs" echo " --kerneldir=PATH look for kernel includes in PATH" @@ -1108,6 +1115,29 @@ EOF fi ########################################## +# cap library probe +if test "$cap" != "no" ; then + cap_libs="-lcap" + cat > $TMPC << EOF +#include +int main(void) +{ + cap_init(); + return 0; +} +EOF + if compile_prog "" "$cap_libs" ; then + cap=yes + libs_tools="$cap_libs $libs_tools" + else + if test "$cap" = "yes" ; then + feature_not_found "cap" + fi + cap=no + fi +fi + +########################################## # Sound support libraries probe audio_drv_probe() @@ -1850,6 +1880,7 @@ echo "fdt support $fdt" echo "preadv support $preadv" echo "fdatasync $fdatasync" echo "uuid support $uuid" +echo "libcap support $cap" if test $sdl_too_old = "yes"; then echo "-> Your SDL version is too old - please upgrade to have SDL support" @@ -1931,6 +1962,9 @@ fi if test "$vde" = "yes" ; then echo "CONFIG_VDE=y" >> $config_host_mak fi +if test "$cap" = "yes" ; then + echo "CONFIG_LIBCAP=y" >> $config_host_mak +fi for card in $audio_card_list; do def=CONFIG_`echo $card | tr '[:lower:]' '[:upper:]'` echo "$def=y" >> $config_host_mak diff --git a/qemu-bridge-helper.c b/qemu-bridge-helper.c index 0d059ed..73e1c5a 100644 --- a/qemu-bridge-helper.c +++ b/qemu-bridge-helper.c @@ -33,6 +33,10 @@ #include "net/tap-linux.h" +#ifdef CONFIG_LIBCAP +#include +#endif + #define MAX_ACLS (128) #define DEFAULT_ACL_FILE CONFIG_QEMU_CONFDIR "/bridge.conf" @@ -186,6 +190,47 @@ static int send_fd(int c, int fd) return sendmsg(c, &msg, 0); } +#ifdef CONFIG_LIBCAP +static int drop_privileges(void) +{ + cap_t cap; + cap_value_t new_caps[] = {CAP_NET_ADMIN}; + + cap = cap_init(); + + /* set capabilities to be permitted and inheritable. we don't need the + * caps to be effective right now as they'll get reset when we seteuid + * anyway */ + cap_set_flag(cap, CAP_PERMITTED, 1, new_caps, CAP_SET); + cap_set_flag(cap, CAP_INHERITABLE, 1, new_caps, CAP_SET); + + if (cap_set_proc(cap) == -1) { + return -1; + } + + cap_free(cap); + + /* reduce our privileges to a normal user */ + setegid(getgid()); + seteuid(getuid()); + + cap = cap_init(); + + /* enable the our capabilities. we marked them as inheritable earlier + * which is what allows this to work. */ + cap_set_flag(cap, CAP_EFFECTIVE, 1, new_caps, CAP_SET); + cap_set_flag(cap, CAP_PERMITTED, 1, new_caps, CAP_SET); + + if (cap_set_proc(cap) == -1) { + return -1; + } + + cap_free(cap); + + return 0; +} +#endif + int main(int argc, char **argv) { struct ifreq ifr; @@ -199,6 +244,17 @@ int main(int argc, char **argv) int acl_count = 0; int i, access_allowed; +#ifdef CONFIG_LIBCAP + /* if we're run from an suid binary, immediately drop privileges preserving + * cap_net_admin */ + if (geteuid() == 0 && getuid() != geteuid()) { + if (drop_privileges() == -1) { + fprintf(stderr, "failed to drop privileges\n"); + return 1; + } + } +#endif + /* parse arguments */ if (argc < 3 || argc > 4) { fprintf(stderr, "Usage: %s [--use-vnet] BRIDGE FD\n", argv[0]);