Re: [lxc-devel] [PATCH] lxc-attach: elevate specific privileges

Tue, 19 Nov 2013 13:49:56 -0800 

Quoting Nikola Kotur (kotn...@gmail.com):
> There are scenarios in which we want to execute process with specific
> privileges elevated.
> 
> An example for this might be executing a process inside the container
> securely, with capabilities dropped, but not in container's cgroup so
> that we can have per process restrictions inside single container.
> 
> Similar to namespaces, privileges to be elevated can be OR'd:
> 
>     lxc-attach --elevated-privileges='CAP|CGROUP' ...
> 
> Backward compatibility with previous versions is retained. In case no
> privileges are specified behaviour is the same as before: all of them
> are elevated.

Hi,

thanks for submitting this patch.  No objection overall, however
there are a few existing places where elevated_privileges is set to 1
which you are not updating.  I also notice that currently it seems
broken as the manpage says that -R should imply -e, but i don't
see where that is enforced any more.

(Lastly, please do add a signed-off-by)

> ---
>  doc/lxc-attach.sgml.in | 13 ++++++++++++-
>  src/lxc/confile.c      | 37 +++++++++++++++++++++++++++++++++++++
>  src/lxc/confile.h      |  2 ++
>  src/lxc/lxc_attach.c   | 26 +++++++++++++++++---------
>  4 files changed, 68 insertions(+), 10 deletions(-)
> 
> diff --git a/doc/lxc-attach.sgml.in b/doc/lxc-attach.sgml.in
> index 8d75c7c..133e8fd 100644
> --- a/doc/lxc-attach.sgml.in
> +++ b/doc/lxc-attach.sgml.in
> @@ -23,6 +23,7 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, 
> MA 02110-1301 USA
>  
>  -->
>  
> +
>  <!DOCTYPE refentry PUBLIC @docdtd@ [
>  
>  <!ENTITY commonoptions SYSTEM "@builddir@/common_options.sgml">
> @@ -107,7 +108,9 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, 
> Boston, MA 02110-1301 USA
>  
>        <varlistentry>
>       <term>
> -       <option>-e, --elevated-privileges</option>
> +       <option>
> +      -e, --elevated-privileges <replaceable>privileges</replaceable>
> +    </option>
>       </term>
>       <listitem>
>         <para>
> @@ -117,6 +120,14 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, 
> Boston, MA 02110-1301 USA
>           <emphasis>not</emphasis> be added to the container's cgroup(s)
>           and it will not drop its capabilities before executing.
>         </para>
> +    <para>
> +      You may specify privileges, in case you do not want to elevate all of
> +      them, as a pipe-separated list, e.g.
> +      <replaceable>CGROUP|LSM</replaceable>. Allowed values are
> +      <replaceable>CGROUP</replaceable>, <replaceable>CAP</replaceable> and
> +      <replaceable>LSM</replaceable> representing cgroup, capabilities and
> +      restriction privileges respectively.
> +    </para>
>         <para>
>           <emphasis>Warning:</emphasis> This may leak privileges into the
>           container if the command starts subprocesses that remain active
> diff --git a/src/lxc/confile.c b/src/lxc/confile.c
> index 0e0b7e8..fdfa418 100644
> --- a/src/lxc/confile.c
> +++ b/src/lxc/confile.c
> @@ -1568,6 +1568,43 @@ signed long lxc_config_parse_arch(const char *arch)
>       return -1;
>  }
>  
> +int lxc_fill_elevated_privileges(char *flaglist, int *flags)
> +{
> +     char *token, *saveptr = NULL;
> +     int i, aflag;
> +     struct { const char *token; int flag; } all_privs[] = {
> +             { "CGROUP",             LXC_ATTACH_MOVE_TO_CGROUP       },
> +             { "CAP",                LXC_ATTACH_DROP_CAPABILITIES    },
> +             { "LSM",                LXC_ATTACH_LSM_EXEC             },
> +             { NULL, 0 }
> +     };
> +
> +     if (!flaglist) {
> +             /* for the sake of backward compatibility, drop all privileges
> +                if none is specified */
> +             for (i = 0; all_privs[i].token; i++) {
> +                     *flags |= all_privs[i].flag;
> +             }
> +             return 0;
> +     }
> +
> +     token = strtok_r(flaglist, "|", &saveptr);
> +     while (token) {
> +             aflag = -1;
> +             for (i = 0; all_privs[i].token; i++) {
> +                     if (!strcmp(all_privs[i].token, token))
> +                             aflag = all_privs[i].flag;
> +             }
> +             if (aflag < 0)
> +                     return -1;
> +
> +             *flags |= aflag;
> +
> +             token = strtok_r(NULL, "|", &saveptr);
> +     }
> +     return 0;
> +}
> +
>  static int lxc_get_conf_int(struct lxc_conf *c, char *retv, int inlen, int v)
>  {
>       if (!retv)
> diff --git a/src/lxc/confile.h b/src/lxc/confile.h
> index 9d12071..eb7a8c2 100644
> --- a/src/lxc/confile.h
> +++ b/src/lxc/confile.h
> @@ -22,6 +22,7 @@
>   */
>  
>  #include <stdio.h>
> +#include "attach_options.h"
>  
>  #ifndef _confile_h
>  #define _confile_h
> @@ -47,6 +48,7 @@ extern int lxc_config_define_load(struct lxc_list *defines,
>  
>  /* needed for lxc-attach */
>  extern signed long lxc_config_parse_arch(const char *arch);
> +extern int lxc_fill_elevated_privileges(char *flaglist, int *flags);
>  
>  extern int lxc_get_config_item(struct lxc_conf *c, const char *key, char 
> *retv, int inlen);
>  extern int lxc_clear_config_item(struct lxc_conf *c, const char *key);
> diff --git a/src/lxc/lxc_attach.c b/src/lxc/lxc_attach.c
> index b49771b..5457d93 100644
> --- a/src/lxc/lxc_attach.c
> +++ b/src/lxc/lxc_attach.c
> @@ -38,7 +38,7 @@
>  lxc_log_define(lxc_attach_ui, lxc);
>  
>  static const struct option my_longopts[] = {
> -     {"elevated-privileges", no_argument, 0, 'e'},
> +     {"elevated-privileges", optional_argument, 0, 'e'},
>       {"arch", required_argument, 0, 'a'},
>       {"namespaces", required_argument, 0, 's'},
>       {"remount-sys-proc", no_argument, 0, 'R'},
> @@ -87,7 +87,11 @@ static int my_parser(struct lxc_arguments* args, int c, 
> char* arg)
>       int ret;
>  
>       switch (c) {
> -     case 'e': elevated_privileges = 1; break;
> +     case 'e':
> +             ret = lxc_fill_elevated_privileges(arg, &elevated_privileges);
> +             if (ret)
> +                     return -1;
> +             break;
>       case 'R': remount_sys_proc = 1; break;
>       case 'a':
>               new_personality = lxc_config_parse_arch(arg);
> @@ -138,9 +142,12 @@ Execute the specified COMMAND - enter the container 
> NAME\n\
>  \n\
>  Options :\n\
>    -n, --name=NAME   NAME for name of the container\n\
> -  -e, --elevated-privileges\n\
> -                    Use elevated privileges (capabilities, cgroup\n\
> -                    restrictions) instead of those of the container.\n\
> +  -e, --elevated-privileges=PRIVILEGES\n\
> +                    Use elevated privileges instead of those of the\n\
> +                    container. If you don't specify privileges to be\n\
> +                    elevated as OR'd list: CAP, CGROUP and LSM 
> (capabilities,\n\
> +                    cgroup and restrictions, respectively) then all of 
> them\n\
> +                    will be elevated.\n\
>                      WARNING: This may leak privileges into the container.\n\
>                      Use with care.\n\
>    -a, --arch=ARCH   Use ARCH for program instead of container's own\n\
> @@ -148,9 +155,10 @@ Options :\n\
>    -s, --namespaces=FLAGS\n\
>                      Don't attach to all the namespaces of the container\n\
>                      but just to the following OR'd list of flags:\n\
> -                    MOUNT, PID, UTSNAME, IPC, USER or NETWORK\n\
> -                    WARNING: Using -s implies -e, it may therefore\n\
> -                    leak privileges into the container. Use with care.\n\
> +                    MOUNT, PID, UTSNAME, IPC, USER or NETWORK.\n\
> +                    WARNING: Using -s implies -e with all privileges\n\
> +                    elevated, it may therefore leak privileges into the\n\
> +                    container. Use with care.\n\
>    -R, --remount-sys-proc\n\
>                      Remount /sys and /proc if not attaching to the\n\
>                      mount namespace when using -s in order to properly\n\
> @@ -199,7 +207,7 @@ int main(int argc, char *argv[])
>       if (remount_sys_proc)
>               attach_options.attach_flags |= LXC_ATTACH_REMOUNT_PROC_SYS;
>       if (elevated_privileges)
> -             attach_options.attach_flags &= ~(LXC_ATTACH_MOVE_TO_CGROUP | 
> LXC_ATTACH_DROP_CAPABILITIES | LXC_ATTACH_LSM_EXEC);
> +             attach_options.attach_flags &= ~(elevated_privileges);
>       attach_options.namespaces = namespace_flags;
>       attach_options.personality = new_personality;
>       attach_options.env_policy = env_policy;
> -- 
> 1.8.4.2
> 
> 
> ------------------------------------------------------------------------------
> Shape the Mobile Experience: Free Subscription
> Software experts and developers: Be at the forefront of tech innovation.
> Intel(R) Software Adrenaline delivers strategic insight and game-changing 
> conversations that shape the rapidly evolving mobile landscape. Sign up now. 
> http://pubads.g.doubleclick.net/gampad/clk?id=63431311&iu=/4140/ostg.clktrk
> _______________________________________________
> Lxc-devel mailing list
> Lxc-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/lxc-devel

------------------------------------------------------------------------------
Shape the Mobile Experience: Free Subscription
Software experts and developers: Be at the forefront of tech innovation.
Intel(R) Software Adrenaline delivers strategic insight and game-changing 
conversations that shape the rapidly evolving mobile landscape. Sign up now. 
http://pubads.g.doubleclick.net/gampad/clk?id=63431311&iu=/4140/ostg.clktrk
_______________________________________________
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel

Reply via email to