Bug 1960708
| Summary: | please add CAP_CHECKPOINT_RESTORE to capability.h | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Davide Cavalca <davide> | |
| Component: | kernel | Assignee: | Adrian Reber <areber> | |
| kernel sub component: | Other | QA Contact: | Chao Ye <cye> | |
| Status: | CLOSED ERRATA | Docs Contact: | ||
| Severity: | unspecified | |||
| Priority: | unspecified | CC: | acaringi, areber, bstinson, carl, cye, jwboyer, lvrabec, ngompa13, omosnace, riehecky, skozina, zpytela | |
| Version: | 8.4 | Keywords: | Triaged | |
| Target Milestone: | beta | Flags: | pm-rhel:
mirror+
|
|
| Target Release: | --- | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | kernel-4.18.0-326.el8 | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1973325 (view as bug list) | Environment: | ||
| Last Closed: | 2021-11-09 19:18:49 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1973325 | |||
|
Description
Davide Cavalca
2021-05-14 16:19:43 UTC
Not sure why this bug got marked as private, could you please make it public? fyi, https://git.centos.org/rpms/util-linux/c/128f2ce4adb3b8002efcea69f070e450bccd7378?branch=c8s-sig-hyperscale is the horrible hack I'm using to workaround this at the moment There is currently nothing which needs CAP_CHECKPOINT_RESTORE in RHEL 8. I will still try to see if this can be easily backported. Possible test case to verify CAP_CHECKPOINT_RESTORE:
#include <sys/stat.h>
#include <fcntl.h>
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
int main(int argc, char *argv[])
{
int fd, pid;
char buf[32];
if (argc != 2)
return 1;
printf("Opening ns_last_pid...\n");
fd = open("/proc/sys/kernel/ns_last_pid", O_RDWR);
if (fd < 0) {
perror("Can't open ns_last_pid");
return 1;
}
printf("Done\n");
pid = atoi(argv[1]);
snprintf(buf, sizeof(buf), "%d", pid - 1);
printf("Writing pid-1 to ns_last_pid...\n");
if (write(fd, buf, strlen(buf)) != strlen(buf)) {
printf("Can't write to buf\n");
return 1;
}
printf("Done\n");
printf("Forking...\n");
int new_pid;
new_pid = fork();
if (new_pid == 0) {
printf("I'm child!\n");
exit(0);
} else if (new_pid == pid) {
printf("I'm parent. My child got right pid!\n");
} else {
printf("pid does not match expected one\n");
}
printf("Done\n");
close(fd);
printf("Done\n");
return 0;
}
With a 'setcap cap_checkpoint_restore+eip ns_last_pid' this can run as non-root.
Thank you for the code example, we can use it for testing, it also made me realize the permission actually is allowed in SELinux for init_t and unconfined domains. For a confined user staff_t, on the other hand, the permission is not set and AVC denial is triggered (plus one follow-up for setroubleshootd): ---- type=PROCTITLE msg=audit(06/14/21 19:46:19.800:3455) : proctitle=/usr/local/sbin/bz1960708 43333 type=PATH msg=audit(06/14/21 19:46:19.800:3455) : item=0 name=/proc/sys/kernel/ns_last_pid inode=170159 dev=00:16 mode=file,666 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysctl_kernel_ns_last_pid_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(06/14/21 19:46:19.800:3455) : cwd=/home/staff type=SYSCALL msg=audit(06/14/21 19:46:19.800:3455) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x402027 a2=O_RDWR a3=0x0 items=1 ppid=43192 pid=43240 auid=staff uid=staff gid=staff euid=staff suid=staff fsuid=staff egid=staff sgid=staff fsgid=staff tty=pts1 ses=6 comm=bz1960708 exe=/usr/local/sbin/bz1960708 subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(06/14/21 19:46:19.800:3455) : avc: denied { write } for pid=43240 comm=bz1960708 name=ns_last_pid dev="proc" ino=170159 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_kernel_ns_last_pid_t:s0 tclass=file permissive=0 ---- type=PROCTITLE msg=audit(06/14/21 19:46:19.822:3456) : proctitle=/usr/bin/python3 -Es /usr/sbin/setroubleshootd -f type=PATH msg=audit(06/14/21 19:46:19.822:3456) : item=0 name=/proc/sys/kernel/ns_last_pid inode=170159 dev=00:16 mode=file,666 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysctl_kernel_ns_last_pid_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(06/14/21 19:46:19.822:3456) : cwd=/ type=SYSCALL msg=audit(06/14/21 19:46:19.822:3456) : arch=x86_64 syscall=newfstatat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x7f21671c7510 a2=0x7f2167120f60 a3=0x0 items=1 ppid=1 pid=43225 auid=unset uid=setroubleshoot gid=setroubleshoot euid=setroubleshoot suid=setroubleshoot fsuid=setroubleshoot egid=setroubleshoot sgid=setroubleshoot fsgid=setroubleshoot tty=(none) ses=unset comm=setroubleshootd exe=/usr/bin/python3.9 subj=system_u:system_r:setroubleshootd_t:s0 key=(null) type=AVC msg=audit(06/14/21 19:46:19.822:3456) : avc: denied { getattr } for pid=43225 comm=setroubleshootd path=/proc/sys/kernel/ns_last_pid dev="proc" ino=170159 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:sysctl_kernel_ns_last_pid_t:s0 tclass=file permissive=0 Tested with 4.18.0-305.el8: =========================================================== [test@hp-dl385g10-04 tmp]$ getcap bz1960708_user_cap bz1960708_user_cap = cap_checkpoint_restore+eip [test@hp-dl385g10-04 tmp]$ getcap bz1960708_user_nocap [test@hp-dl385g10-04 tmp]$ ./bz1960708_user_cap 43333 Opening ns_last_pid... Done Writing pid-1 to ns_last_pid... Can't write to buf [test@hp-dl385g10-04 tmp]$ ./bz1960708_user_nocap 43333 Opening ns_last_pid... Done Writing pid-1 to ns_last_pid... Can't write to buf [test@hp-dl385g10-04 tmp]$ rpm -q libcap libcap-2.48-2.el8.x86_64 [test@hp-dl385g10-04 tmp]$ uname -a Linux hp-dl385g10-04.rhts.eng.pek2.redhat.com 4.18.0-305.el8.x86_64 #1 SMP Thu Apr 29 08:54:30 EDT 2021 x86_64 x86_64 x86_64 GNU/Linux Verified with 4.18.0-327.el8: =========================================================== [test@hp-dl385g10-04 tmp]$ getcap bz1960708_user_nocap [test@hp-dl385g10-04 tmp]$ getcap bz1960708_user_cap bz1960708_user_cap cap_checkpoint_restore=eip [test@hp-dl385g10-04 tmp]$ ./bz1960708_user_nocap 43333 Opening ns_last_pid... Done Writing pid-1 to ns_last_pid... Can't write to buf [test@hp-dl385g10-04 tmp]$ ./bz1960708_user_cap 43333 Opening ns_last_pid... Done Writing pid-1 to ns_last_pid... Done Forking... I'm parent. My child got right pid! Done Done I'm child! [test@hp-dl385g10-04 tmp]$ uname -a Linux hp-dl385g10-04.rhts.eng.pek2.redhat.com 4.18.0-327.el8.x86_64 #1 SMP Fri Jul 30 19:02:07 EDT 2021 x86_64 x86_64 x86_64 GNU/Linux [test@hp-dl385g10-04 tmp]$ rpm -q libcap libcap-2.48-2.el8.x86_64 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: kernel security, bug fix, and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:4356 |