···
7
+
#include <sys/xattr.h>
#include <linux/capability.h>
12
-
#include <sys/capability.h>
16
+
#include <syscall.h>
17
+
#include <byteswap.h>
// Make sure assertions are not compiled out, we use them to codify
// invariants about this program and we want it to fail fast and
···
// The WRAPPER_DIR macro is supplied at compile time so that it cannot
26
-
static char * wrapperDir = WRAPPER_DIR;
28
+
static char *wrapper_dir = WRAPPER_DIR;
// Wrapper debug variable name
29
-
static char * wrapperDebug = "WRAPPER_DEBUG";
31
+
static char *wrapper_debug = "WRAPPER_DEBUG";
31
-
// Update the capabilities of the running process to include the given
32
-
// capability in the Ambient set.
33
-
static void set_ambient_cap(cap_value_t cap)
35
-
capng_get_caps_process();
33
+
#define CAP_SETPCAP 8
37
-
if (capng_update(CAPNG_ADD, CAPNG_INHERITABLE, (unsigned long) cap))
39
-
perror("cannot raise the capability into the Inheritable set\n");
35
+
#if __BYTE_ORDER == __BIG_ENDIAN
36
+
#define LE32_TO_H(x) bswap_32(x)
38
+
#define LE32_TO_H(x) (x)
43
-
capng_apply(CAPNG_SELECT_CAPS);
45
-
if (prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, (unsigned long) cap, 0, 0))
47
-
perror("cannot raise the capability into the Ambient set\n");
41
+
int get_last_cap(unsigned *last_cap) {
42
+
FILE* file = fopen("/proc/sys/kernel/cap_last_cap", "r");
44
+
int saved_errno = errno;
45
+
fprintf(stderr, "failed to open /proc/sys/kernel/cap_last_cap: %s\n", strerror(errno));
46
+
return -saved_errno;
48
+
int res = fscanf(file, "%u", last_cap);
50
+
int saved_errno = errno;
51
+
fprintf(stderr, "could not read number from /proc/sys/kernel/cap_last_cap: %s\n", strerror(errno));
52
+
return -saved_errno;
// Given the path to this program, fetch its configured capability set
// (as set by `setcap ... /path/to/file`) and raise those capabilities
55
-
static int make_caps_ambient(const char *selfPath)
57
-
cap_t caps = cap_get_file(selfPath);
61
-
if(getenv(wrapperDebug))
62
-
fprintf(stderr, "no caps set or could not retrieve the caps for this file, not doing anything...");
61
+
static int make_caps_ambient(const char *self_path) {
62
+
struct vfs_ns_cap_data data = {};
63
+
int r = getxattr(self_path, "security.capability", &data, sizeof(data));
66
+
if (errno == ENODATA) {
67
+
// no capabilities set
70
+
fprintf(stderr, "cannot get capabilities for %s: %s", self_path, strerror(errno));
67
-
// We use `cap_to_text` and iteration over the tokenized result
68
-
// string because, as of libcap's current release, there is no
69
-
// facility for retrieving an array of `cap_value_t`'s that can be
70
-
// given to `prctl` in order to lift that capability into the
73
-
// Some discussion was had around shot-gunning all of the
74
-
// capabilities we know about into the Ambient set but that has a
75
-
// security smell and I deemed the risk of the current
76
-
// implementation crashing the program to be lower than the risk
77
-
// of a privilege escalation security hole being introduced by
78
-
// raising all capabilities, even ones we didn't intend for the
79
-
// program, into the Ambient set.
81
-
// `cap_t` which is returned by `cap_get_*` is an opaque type and
82
-
// even if we could retrieve the bitmasks (which, as far as I can
83
-
// tell we cannot) in order to get the `cap_value_t`
84
-
// representation for each capability we would have to take the
85
-
// total number of capabilities supported and iterate over the
86
-
// sequence of integers up-to that maximum total, testing each one
87
-
// against the bitmask ((bitmask >> n) & 1) to see if it's set and
88
-
// aggregating each "capability integer n" that is set in the
91
-
// That, combined with the fact that we can't easily get the
92
-
// bitmask anyway seemed much more brittle than fetching the
93
-
// `cap_t`, transforming it into a textual representation,
94
-
// tokenizing the string, and using `cap_from_name` on the token
95
-
// to get the `cap_value_t` that we need for `prctl`. There is
96
-
// indeed risk involved if the output string format of
97
-
// `cap_to_text` ever changes but at this time the combination of
98
-
// factors involving the below list have led me to the conclusion
99
-
// that the best implementation at this time is reading then
100
-
// parsing with *lots of documentation* about why we're doing it
103
-
// 1. No explicit API for fetching an array of `cap_value_t`'s or
104
-
// for transforming a `cap_t` into such a representation
105
-
// 2. The risk of a crash is lower than lifting all capabilities
106
-
// into the Ambient set
107
-
// 3. libcap is depended on heavily in the Linux ecosystem so
108
-
// there is a high chance that the output representation of
109
-
// `cap_to_text` will not change which reduces our risk that
110
-
// this parsing step will cause a crash
112
-
// The preferred method, should it ever be available in the
113
-
// future, would be to use libcap API's to transform the result
114
-
// from a `cap_get_*` into an array of `cap_value_t`'s that can
115
-
// then be given to prctl.
119
-
char* capstr = cap_to_text(caps, &capLen);
122
-
// TODO: For now, we assume that cap_to_text always starts its
123
-
// result string with " =" and that the first capability is listed
124
-
// immediately after that. We should verify this.
125
-
assert(capLen >= 2);
75
+
uint32_t version = LE32_TO_H(data.magic_etc) & VFS_CAP_REVISION_MASK;
77
+
case VFS_CAP_REVISION_1:
78
+
size = VFS_CAP_U32_1;
80
+
case VFS_CAP_REVISION_2:
81
+
case VFS_CAP_REVISION_3:
82
+
size = VFS_CAP_U32_3;
85
+
fprintf(stderr, "BUG! Unsupported capability version 0x%x on %s. Report to NixOS bugtracker\n", version, self_path);
128
-
char* saveptr = NULL;
129
-
for(char* tok = strtok_r(capstr, ",", &saveptr); tok; tok = strtok_r(NULL, ",", &saveptr))
131
-
cap_value_t capnum;
132
-
if (cap_from_name(tok, &capnum))
134
-
if(getenv(wrapperDebug))
135
-
fprintf(stderr, "cap_from_name failed, skipping: %s", tok);
137
-
else if (capnum == CAP_SETPCAP)
139
-
// Check for the cap_setpcap capability, we set this on the
140
-
// wrapper so it can elevate the capabilities to the Ambient
141
-
// set but we do not want to propagate it down into the
142
-
// wrapped program.
144
-
// TODO: what happens if that's the behavior you want
145
-
// though???? I'm preferring a strict vs. loose policy here.
146
-
if(getenv(wrapperDebug))
147
-
fprintf(stderr, "cap_setpcap in set, skipping it\n");
151
-
set_ambient_cap(capnum);
89
+
const struct __user_cap_header_struct header = {
90
+
.version = _LINUX_CAPABILITY_VERSION_3,
93
+
struct __user_cap_data_struct user_data[2] = {};
153
-
if(getenv(wrapperDebug))
154
-
fprintf(stderr, "raised %s into the Ambient capability set\n", tok);
95
+
for (size_t i = 0; i < size; i++) {
96
+
// merge inheritable & permitted into one
97
+
user_data[i].permitted = user_data[i].inheritable =
98
+
LE32_TO_H(data.data[i].inheritable) | LE32_TO_H(data.data[i].permitted);
101
+
if (syscall(SYS_capset, &header, &user_data) < 0) {
102
+
fprintf(stderr, "failed to inherit capabilities: %s", strerror(errno));
106
+
r = get_last_cap(&last_cap);
110
+
uint64_t set = user_data[0].permitted | (uint64_t)user_data[1].permitted << 32;
111
+
for (unsigned cap = 0; cap < last_cap; cap++) {
112
+
if (!(set & (1ULL << cap))) {
116
+
// Check for the cap_setpcap capability, we set this on the
117
+
// wrapper so it can elevate the capabilities to the Ambient
118
+
// set but we do not want to propagate it down into the
119
+
// wrapped program.
121
+
// TODO: what happens if that's the behavior you want
122
+
// though???? I'm preferring a strict vs. loose policy here.
123
+
if (cap == CAP_SETPCAP) {
124
+
if(getenv(wrapper_debug)) {
125
+
fprintf(stderr, "cap_setpcap in set, skipping it\n");
129
+
if (prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, (unsigned long) cap, 0, 0)) {
130
+
fprintf(stderr, "cannot raise the capability %d into the ambient set: %s\n", cap, strerror(errno));
133
+
if (getenv(wrapper_debug)) {
134
+
fprintf(stderr, "raised %d into the ambient capability set\n", cap);
162
-
int main(int argc, char * * argv)
164
-
// I *think* it's safe to assume that a path from a symbolic link
165
-
// should safely fit within the PATH_MAX system limit. Though I'm
166
-
// not positive it's safe...
167
-
char selfPath[PATH_MAX];
168
-
int selfPathSize = readlink("/proc/self/exe", selfPath, sizeof(selfPath));
141
+
int readlink_malloc(const char *p, char **ret) {
142
+
size_t l = FILENAME_MAX+1;
170
-
assert(selfPathSize > 0);
146
+
char *c = calloc(l, sizeof(char));
151
+
ssize_t n = readlink(p, c, l-1);
158
+
if ((size_t) n < l-1) {
172
-
// Assert we have room for the zero byte, this ensures the path
173
-
// isn't being truncated because it's too big for the buffer.
175
-
// A better way to handle this might be to use something like the
176
-
// whereami library (https://github.com/gpakosz/whereami) or a
177
-
// loop that resizes the buffer and re-reads the link if the
178
-
// contents are being truncated.
179
-
assert(selfPathSize < sizeof(selfPath));
181
-
// Set the zero byte since readlink doesn't do that for us.
182
-
selfPath[selfPathSize] = '\0';
169
+
int main(int argc, char **argv) {
170
+
char *self_path = NULL;
171
+
int self_path_size = readlink_malloc("/proc/self/exe", &self_path);
172
+
if (self_path_size < 0) {
173
+
fprintf(stderr, "cannot readlink /proc/self/exe: %s", strerror(-self_path_size));
// Make sure that we are being executed from the right location,
185
-
// i.e., `safeWrapperDir'. This is to prevent someone from creating
177
+
// i.e., `safe_wrapper_dir'. This is to prevent someone from creating
// hard link `X' from some other location, along with a false
// `X.real' file, to allow arbitrary programs from being executed
// with elevated capabilities.
189
-
int len = strlen(wrapperDir);
190
-
if (len > 0 && '/' == wrapperDir[len - 1])
181
+
int len = strlen(wrapper_dir);
182
+
if (len > 0 && '/' == wrapper_dir[len - 1])
192
-
assert(!strncmp(selfPath, wrapperDir, len));
193
-
assert('/' == wrapperDir[0]);
194
-
assert('/' == selfPath[len]);
184
+
assert(!strncmp(self_path, wrapper_dir, len));
185
+
assert('/' == wrapper_dir[0]);
186
+
assert('/' == self_path[len]);
// Make *really* *really* sure that we were executed as
197
-
// `selfPath', and not, say, as some other setuid program. That
189
+
// `self_path', and not, say, as some other setuid program. That
// is, our effective uid/gid should match the uid/gid of
201
-
assert(lstat(selfPath, &st) != -1);
193
+
assert(lstat(self_path, &st) != -1);
assert(!(st.st_mode & S_ISUID) || (st.st_uid == geteuid()));
assert(!(st.st_mode & S_ISGID) || (st.st_gid == getegid()));
···
assert(!(st.st_mode & (S_IWGRP | S_IWOTH)));
// Read the path of the real (wrapped) program from <self>.real.
210
-
char realFN[PATH_MAX + 10];
211
-
int realFNSize = snprintf (realFN, sizeof(realFN), "%s.real", selfPath);
212
-
assert (realFNSize < sizeof(realFN));
202
+
char real_fn[PATH_MAX + 10];
203
+
int real_fn_size = snprintf(real_fn, sizeof(real_fn), "%s.real", self_path);
204
+
assert(real_fn_size < sizeof(real_fn));
214
-
int fdSelf = open(realFN, O_RDONLY);
215
-
assert (fdSelf != -1);
206
+
int fd_self = open(real_fn, O_RDONLY);
207
+
assert(fd_self != -1);
217
-
char sourceProg[PATH_MAX];
218
-
len = read(fdSelf, sourceProg, PATH_MAX);
219
-
assert (len != -1);
220
-
assert (len < sizeof(sourceProg));
222
-
sourceProg[len] = 0;
209
+
char source_prog[PATH_MAX];
210
+
len = read(fd_self, source_prog, PATH_MAX);
212
+
assert(len < sizeof(source_prog));
214
+
source_prog[len] = 0;
// Read the capabilities set on the wrapper and raise them in to
227
-
// the Ambient set so the program we're wrapping receives the
219
+
// the ambient set so the program we're wrapping receives the
229
-
make_caps_ambient(selfPath);
221
+
if (make_caps_ambient(self_path) != 0) {
231
-
execve(sourceProg, argv, environ);
227
+
execve(source_prog, argv, environ);
fprintf(stderr, "%s: cannot run `%s': %s\n",
234
-
argv[0], sourceProg, strerror(errno));
230
+
argv[0], source_prog, strerror(errno));
pyrox.dev