Merge pull request #3614 from brauner/2021-01-04/fixes

capability fixes
lxc · Jan 4, 2021 · 2395788 · 2395788
2 parents bfcd663 + d84b26b
commit 2395788
Show file tree

Hide file tree

Showing 4 changed files with 205 additions and 64 deletions.
diff --git a/src/lxc/cgroups/cgfsng.c b/src/lxc/cgroups/cgfsng.c
@@ -1832,10 +1832,7 @@ __cgfsng_ops static bool cgfsng_mount(struct cgroup_ops *ops,
 	}
 
 	if (!wants_force_mount) {
-		if (!lxc_list_empty(&handler->conf->keepcaps))
-			wants_force_mount = !in_caplist(CAP_SYS_ADMIN, &handler->conf->keepcaps);
-		else
-			wants_force_mount = in_caplist(CAP_SYS_ADMIN, &handler->conf->caps);
+		wants_force_mount = lxc_wants_cap(CAP_SYS_ADMIN, handler->conf);
 
 		/*
 		 * Most recent distro versions currently have init system that

diff --git a/src/lxc/conf.c b/src/lxc/conf.c
@@ -181,56 +181,47 @@ static struct mount_opt propagation_opt[] = {
 
 static struct caps_opt caps_opt[] = {
 #if HAVE_LIBCAP
-	{ "chown",            CAP_CHOWN            },
-	{ "dac_override",     CAP_DAC_OVERRIDE     },
-	{ "dac_read_search",  CAP_DAC_READ_SEARCH  },
-	{ "fowner",           CAP_FOWNER           },
-	{ "fsetid",           CAP_FSETID           },
-	{ "kill",             CAP_KILL             },
-	{ "setgid",           CAP_SETGID           },
-	{ "setuid",           CAP_SETUID           },
-	{ "setpcap",          CAP_SETPCAP          },
-	{ "linux_immutable",  CAP_LINUX_IMMUTABLE  },
-	{ "net_bind_service", CAP_NET_BIND_SERVICE },
-	{ "net_broadcast",    CAP_NET_BROADCAST    },
-	{ "net_admin",        CAP_NET_ADMIN        },
-	{ "net_raw",          CAP_NET_RAW          },
-	{ "ipc_lock",         CAP_IPC_LOCK         },
-	{ "ipc_owner",        CAP_IPC_OWNER        },
-	{ "sys_module",       CAP_SYS_MODULE       },
-	{ "sys_rawio",        CAP_SYS_RAWIO        },
-	{ "sys_chroot",       CAP_SYS_CHROOT       },
-	{ "sys_ptrace",       CAP_SYS_PTRACE       },
-	{ "sys_pacct",        CAP_SYS_PACCT        },
-	{ "sys_admin",        CAP_SYS_ADMIN        },
-	{ "sys_boot",         CAP_SYS_BOOT         },
-	{ "sys_nice",         CAP_SYS_NICE         },
-	{ "sys_resource",     CAP_SYS_RESOURCE     },
-	{ "sys_time",         CAP_SYS_TIME         },
-	{ "sys_tty_config",   CAP_SYS_TTY_CONFIG   },
-	{ "mknod",            CAP_MKNOD            },
-	{ "lease",            CAP_LEASE            },
-#ifdef CAP_AUDIT_READ
-	{ "audit_read",       CAP_AUDIT_READ       },
-#endif
-#ifdef CAP_AUDIT_WRITE
-	{ "audit_write",      CAP_AUDIT_WRITE      },
-#endif
-#ifdef CAP_AUDIT_CONTROL
-	{ "audit_control",    CAP_AUDIT_CONTROL    },
-#endif
-	{ "setfcap",          CAP_SETFCAP          },
-	{ "mac_override",     CAP_MAC_OVERRIDE     },
-	{ "mac_admin",        CAP_MAC_ADMIN        },
-#ifdef CAP_SYSLOG
-	{ "syslog",           CAP_SYSLOG           },
-#endif
-#ifdef CAP_WAKE_ALARM
-	{ "wake_alarm",       CAP_WAKE_ALARM       },
-#endif
-#ifdef CAP_BLOCK_SUSPEND
-	{ "block_suspend",    CAP_BLOCK_SUSPEND    },
-#endif
+	{ "chown",              CAP_CHOWN              },
+	{ "dac_override",       CAP_DAC_OVERRIDE       },
+	{ "dac_read_search",    CAP_DAC_READ_SEARCH    },
+	{ "fowner",             CAP_FOWNER             },
+	{ "fsetid",             CAP_FSETID             },
+	{ "kill",               CAP_KILL               },
+	{ "setgid",             CAP_SETGID             },
+	{ "setuid",             CAP_SETUID             },
+	{ "setpcap",            CAP_SETPCAP            },
+	{ "linux_immutable",    CAP_LINUX_IMMUTABLE    },
+	{ "net_bind_service",   CAP_NET_BIND_SERVICE   },
+	{ "net_broadcast",      CAP_NET_BROADCAST      },
+	{ "net_admin",          CAP_NET_ADMIN          },
+	{ "net_raw",            CAP_NET_RAW            },
+	{ "ipc_lock",           CAP_IPC_LOCK           },
+	{ "ipc_owner",          CAP_IPC_OWNER          },
+	{ "sys_module",         CAP_SYS_MODULE         },
+	{ "sys_rawio",          CAP_SYS_RAWIO          },
+	{ "sys_chroot",         CAP_SYS_CHROOT         },
+	{ "sys_ptrace",         CAP_SYS_PTRACE         },
+	{ "sys_pacct",          CAP_SYS_PACCT          },
+	{ "sys_admin",          CAP_SYS_ADMIN          },
+	{ "sys_boot",           CAP_SYS_BOOT           },
+	{ "sys_nice",           CAP_SYS_NICE           },
+	{ "sys_resource",       CAP_SYS_RESOURCE       },
+	{ "sys_time",           CAP_SYS_TIME           },
+	{ "sys_tty_config",     CAP_SYS_TTY_CONFIG     },
+	{ "mknod",              CAP_MKNOD              },
+	{ "lease",              CAP_LEASE              },
+	{ "audit_write",        CAP_AUDIT_WRITE        },
+	{ "audit_control",      CAP_AUDIT_CONTROL      },
+	{ "setfcap",            CAP_SETFCAP            },
+	{ "mac_override",       CAP_MAC_OVERRIDE       },
+	{ "mac_admin",          CAP_MAC_ADMIN          },
+	{ "syslog",             CAP_SYSLOG             },
+	{ "wake_alarm",         CAP_WAKE_ALARM         },
+	{ "block_suspend",      CAP_BLOCK_SUSPEND      },
+	{ "audit_read",         CAP_AUDIT_READ         },
+	{ "perfmon",            CAP_PERFMON            },
+	{ "bpf",                CAP_BPF                },
+	{ "checkpoint_restore", CAP_CHECKPOINT_RESTORE },
 #endif
 };
 
@@ -649,8 +640,8 @@ static int lxc_mount_auto_mounts(struct lxc_conf *conf, int flags, struct lxc_ha
 		{ 0,                  0,                   NULL,                                             NULL,                         NULL,    0,                                               NULL, 0 }
 	};
 
-	bool has_cap_net_admin = in_caplist(CAP_NET_ADMIN, &conf->caps);
-	for (i = 0; default_mounts[i].match_mask; i++) {
+        bool has_cap_net_admin = lxc_wants_cap(CAP_NET_ADMIN, conf);
+        for (i = 0; default_mounts[i].match_mask; i++) {
 		__do_free char *destination = NULL, *source = NULL;
 		int saved_errno;
 		unsigned long mflags;

diff --git a/src/lxc/conf.h b/src/lxc/conf.h
@@ -15,6 +15,7 @@
 #include <sys/types.h>
 #include <sys/vfs.h>
 
+#include "caps.h"
 #include "compiler.h"
 #include "config.h"
 #include "list.h"
@@ -514,6 +515,18 @@ __hidden extern int run_script(const char *name, const char *section, const char
 __hidden extern int run_script_argv(const char *name, unsigned int hook_version, const char *section,
 				    const char *script, const char *hookname, char **argsin);
 __hidden extern int in_caplist(int cap, struct lxc_list *caps);
+
+static inline bool lxc_wants_cap(int cap, struct lxc_conf *conf)
+{
+	if (lxc_caps_last_cap() < cap)
+		return false;
+
+	if (!lxc_list_empty(&conf->keepcaps))
+		return !in_caplist(cap, &conf->keepcaps);
+
+	return in_caplist(cap, &conf->caps);
+}
+
 __hidden extern int setup_sysctl_parameters(struct lxc_list *sysctls);
 __hidden extern int lxc_clear_sysctls(struct lxc_conf *c, const char *key);
 __hidden extern int setup_proc_filesystem(struct lxc_list *procs, pid_t pid);

diff --git a/src/lxc/macro.h b/src/lxc/macro.h
@@ -37,28 +37,168 @@
 #endif
 
 /* capabilities */
+#ifndef CAP_CHOWN
+#define CAP_CHOWN            	0
+#endif
+
+#ifndef CAP_DAC_OVERRIDE
+#define CAP_DAC_OVERRIDE     	1
+#endif
+
+#ifndef CAP_DAC_READ_SEARCH
+#define CAP_DAC_READ_SEARCH  	2
+#endif
+
+#ifndef CAP_FOWNER
+#define CAP_FOWNER           	3
+#endif
+
+#ifndef CAP_FSETID
+#define CAP_FSETID           	4
+#endif
+
+#ifndef CAP_KILL
+#define CAP_KILL             	5
+#endif
+
+#ifndef CAP_SETGID
+#define CAP_SETGID           	6
+#endif
+
+#ifndef CAP_SETUID
+#define CAP_SETUID           	7
+#endif
+
+#ifndef CAP_SETPCAP
+#define CAP_SETPCAP          	8
+#endif
+
+#ifndef CAP_LINUX_IMMUTABLE
+#define CAP_LINUX_IMMUTABLE  	9
+#endif
+
+#ifndef CAP_NET_BIND_SERVICE
+#define CAP_NET_BIND_SERVICE 	10
+#endif
+
+#ifndef CAP_NET_BROADCAST
+#define CAP_NET_BROADCAST    	11
+#endif
+
+#ifndef CAP_NET_ADMIN
+#define CAP_NET_ADMIN        	12
+#endif
+
+#ifndef CAP_NET_RAW
+#define CAP_NET_RAW          	13
+#endif
+
+#ifndef CAP_IPC_LOCK
+#define CAP_IPC_LOCK         	14
+#endif
+
+#ifndef CAP_IPC_OWNER
+#define CAP_IPC_OWNER        	15
+#endif
+
+#ifndef CAP_SYS_MODULE
+#define CAP_SYS_MODULE       	16
+#endif
+
+#ifndef CAP_SYS_RAWIO
+#define CAP_SYS_RAWIO        	17
+#endif
+
+#ifndef CAP_SYS_CHROOT
+#define CAP_SYS_CHROOT       	18
+#endif
+
+#ifndef CAP_SYS_PTRACE
+#define CAP_SYS_PTRACE       	19
+#endif
+
+#ifndef CAP_SYS_PACCT
+#define CAP_SYS_PACCT        	20
+#endif
+
 #ifndef CAP_SYS_ADMIN
-#define CAP_SYS_ADMIN 21
+#define CAP_SYS_ADMIN        	21
+#endif
+
+#ifndef CAP_SYS_BOOT
+#define CAP_SYS_BOOT         	22
+#endif
+
+#ifndef CAP_SYS_NICE
+#define CAP_SYS_NICE         	23
+#endif
+
+#ifndef CAP_SYS_RESOURCE
+#define CAP_SYS_RESOURCE     	24
+#endif
+
+#ifndef CAP_SYS_TIME
+#define CAP_SYS_TIME         	25
+#endif
+
+#ifndef CAP_SYS_TTY_CONFIG
+#define CAP_SYS_TTY_CONFIG   	26
+#endif
+
+#ifndef CAP_MKNOD
+#define CAP_MKNOD            	27
+#endif
+
+#ifndef CAP_LEASE
+#define CAP_LEASE            	28
+#endif
+
+#ifndef CAP_AUDIT_WRITE
+#define CAP_AUDIT_WRITE      	29
+#endif
+
+#ifndef CAP_AUDIT_CONTROL
+#define CAP_AUDIT_CONTROL    	30
 #endif
 
 #ifndef CAP_SETFCAP
-#define CAP_SETFCAP 31
+#define CAP_SETFCAP	     	31
 #endif
 
 #ifndef CAP_MAC_OVERRIDE
-#define CAP_MAC_OVERRIDE 32
+#define CAP_MAC_OVERRIDE     	32
 #endif
 
 #ifndef CAP_MAC_ADMIN
-#define CAP_MAC_ADMIN 33
+#define CAP_MAC_ADMIN        	33
 #endif
 
-#ifndef CAP_SETUID
-#define CAP_SETUID 7
+#ifndef CAP_SYSLOG
+#define CAP_SYSLOG           	34
 #endif
 
-#ifndef CAP_SETGID
-#define CAP_SETGID 6
+#ifndef CAP_WAKE_ALARM
+#define CAP_WAKE_ALARM       	35
+#endif
+
+#ifndef CAP_BLOCK_SUSPEND
+#define CAP_BLOCK_SUSPEND    	36
+#endif
+
+#ifndef CAP_AUDIT_READ
+#define CAP_AUDIT_READ		37
+#endif
+
+#ifndef CAP_PERFMON
+#define CAP_PERFMON		38
+#endif
+
+#ifndef CAP_BPF
+#define CAP_BPF			39
+#endif
+
+#ifndef CAP_CHECKPOINT_RESTORE
+#define CAP_CHECKPOINT_RESTORE	40
 #endif
 
 /* prctl */