Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Drop CAP_MKNOD by using getentropy/getrandom directly #8703

Open
6 tasks
mmeeks opened this issue Apr 4, 2024 · 3 comments
Open
6 tasks

Drop CAP_MKNOD by using getentropy/getrandom directly #8703

mmeeks opened this issue Apr 4, 2024 · 3 comments
Assignees
@Minion3665
Labels
24.04 enhancement New feature or request

Comments

@mmeeks
Copy link
Contributor

mmeeks commented Apr 4, 2024
edited

We currently have a problem when people use the 'nodev' attribute on mounts, and of course people love to lock down the system so nothing can be done with it so we should:

  • use getentropy or getrandom everywhere ... ;-)

What follows is a bad design that it turns out doesn't work: =)

  • create two FIFOs (mkfifo) in each jails' dev/random and dev/urandom directories cf. https://linux.die.net/man/3/mkfifo
  • create a new SocketPolling thread and start it in coolwsd
  • in that thread open /dev/urandom for reading in coolwsd
  • open both the above FIFOs for writing, and add them to the socket-poll
  • when we get a chance to write, read from /dev/urandom (non-blocking) and write to either of the output pipes.

FIFOs ensure that only one opener at the other end gets each chunk of data, and all should be well emulating these simple devices this way.

Then we should drop CAP_MKNOD and the problems that come with this like this:

kit-1559279-1559279 2024-04-03 21:58:48.464008 +0000 (Wed, Apr 3 22:58 BST) [ kit_spare_002 ] INF  Failed to create random device via mknod(/home/collabora/jenkins/workspace/github_online_master_debug_vs_co-24.04/jails/1559122-f990635c/LehhVRoWIizOoS5H//tmp/dev/random). Mount must not use nodev flag, or bind-mount must be enabled: Operation not permitted| common/JailUtil.cpp:360
@mmeeks mmeeks added enhancement New feature or request unconfirmed 24.04 and removed unconfirmed labels Apr 4, 2024
@Minion3665 Minion3665 self-assigned this Apr 4, 2024
@mmeeks
Copy link
Contributor Author

mmeeks commented Apr 5, 2024

Seems named pipes bring a whole load of pain with them: checkout - https://github.com/CollaboraOnline/online/compare/private/mmeeks/fiforandom?expand=1
which appears to work but ... not in a nice way.

Quite possibly we need to either patch NSS, or require a working 'getrandom' system call - which dates from October 2014 - so - surely must be widely deployed.

@mmeeks
Copy link
Contributor Author

mmeeks commented Apr 5, 2024

Instead lets use getentropy / getrandom properly:

https://gerrit.libreoffice.org/c/core/+/165824
https://gerrit.libreoffice.org/c/core/+/165820
#8715

go in this direction.

@mmeeks mmeeks changed the title Drop CAP_MKNOD by using named pipes Drop CAP_MKNOD by using getentropy/getrandom directly Apr 5, 2024
@mmeeks
Copy link
Contributor Author

mmeeks commented Apr 6, 2024

Ok - so then the problem is that glibc is badly out of date with kernels - and only just got getrandom. So we need to either use the system-call directly - or - I have a better idea - which is to share a single file-descriptor to /dev/urandom between all our Kit processes =)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Minion3665 Minion3665

Labels
24.04 enhancement New feature or request
Projects
Collabora Online
Status: No status
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mmeeks @Minion3665