1960708 – please add CAP_CHECKPOINT_RESTORE to capability.h

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1960708 - please add CAP_CHECKPOINT_RESTORE to capability.h

Summary: please add CAP_CHECKPOINT_RESTORE to capability.h

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	kernel
Sub Component:
Version:	8.4
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	beta
Target Release:	---
Assignee:	Adrian Reber
QA Contact:	Chao Ye
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1973325
TreeView+	depends on / blocked

Reported:	2021-05-14 16:19 UTC by Davide Cavalca
Modified:	2021-11-10 05:22 UTC (History)
CC List:	12 users (show)
Fixed In Version:	kernel-4.18.0-326.el8
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	1973325 (view as bug list)
Environment:
Last Closed:	2021-11-09 19:18:49 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Gitlab	redhat/rhel/src/kernel rhel-8 merge_requests 813	0	None	None	None	2021-06-16 15:29:32 UTC
Red Hat Product Errata	RHSA-2021:4356	0	None	None	None	2021-11-09 19:19:41 UTC

Description Davide Cavalca 2021-05-14 16:19:43 UTC

5.9 introduced a new capability in https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/include/uapi/linux/capability.h?h=v5.9&id=124ea650d3072b005457faed69909221c2905a1f

Please backport this commit so that util-linux can pick it up (specifically for setpriv). This is something we need for the CentOS Hyperscale SIG (https://pagure.io/centos-sig-hyperscale/sig/issue/43) but it would also be generally useful. For reference, https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=74858abbb1032222f922487fd1a24513bbed80f9 is the full merge commit with all related changes. Thanks!

Comment 1 Davide Cavalca 2021-05-14 16:20:20 UTC

Not sure why this bug got marked as private, could you please make it public?

Comment 2 Davide Cavalca 2021-05-14 17:24:54 UTC

fyi, https://git.centos.org/rpms/util-linux/c/128f2ce4adb3b8002efcea69f070e450bccd7378?branch=c8s-sig-hyperscale is the horrible hack I'm using to workaround this at the moment

Comment 4 Adrian Reber 2021-06-09 15:36:12 UTC

There is currently nothing which needs CAP_CHECKPOINT_RESTORE in RHEL 8. I will still try to see if this can be easily backported.

Comment 9 Adrian Reber 2021-06-14 14:30:03 UTC

Possible test case to verify CAP_CHECKPOINT_RESTORE:

#include <sys/stat.h>
#include <fcntl.h>
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>

int main(int argc, char *argv[])
{
	int fd, pid;
	char buf[32];

	if (argc != 2)
		return 1;

	printf("Opening ns_last_pid...\n");
	fd = open("/proc/sys/kernel/ns_last_pid", O_RDWR);
	if (fd < 0) {
		perror("Can't open ns_last_pid");
		return 1;
	}
	printf("Done\n");

	pid = atoi(argv[1]);
	snprintf(buf, sizeof(buf), "%d", pid - 1);

	printf("Writing pid-1 to ns_last_pid...\n");
	if (write(fd, buf, strlen(buf)) != strlen(buf)) {
		printf("Can't write to buf\n");
		return 1;
	}
	printf("Done\n");

	printf("Forking...\n");
	int new_pid;

	new_pid = fork();
	if (new_pid == 0) {
		printf("I'm child!\n");
		exit(0);
	} else if (new_pid == pid) {
		printf("I'm parent. My child got right pid!\n");
	} else {
		printf("pid does not match expected one\n");
	}
	printf("Done\n");

	close(fd);

	printf("Done\n");

	return 0;
}

With a 'setcap cap_checkpoint_restore+eip ns_last_pid' this can run as non-root.

Comment 10 Zdenek Pytela 2021-06-14 18:16:27 UTC

Thank you for the code example, we can use it for testing, it also made me realize the permission actually is allowed in SELinux for init_t and unconfined domains.

For a confined user staff_t, on the other hand, the permission is not set and AVC denial is triggered (plus one follow-up for setroubleshootd):

----
type=PROCTITLE msg=audit(06/14/21 19:46:19.800:3455) : proctitle=/usr/local/sbin/bz1960708 43333 
type=PATH msg=audit(06/14/21 19:46:19.800:3455) : item=0 name=/proc/sys/kernel/ns_last_pid inode=170159 dev=00:16 mode=file,666 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysctl_kernel_ns_last_pid_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(06/14/21 19:46:19.800:3455) : cwd=/home/staff
type=SYSCALL msg=audit(06/14/21 19:46:19.800:3455) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x402027 a2=O_RDWR a3=0x0 items=1 ppid=43192 pid=43240 auid=staff uid=staff gid=staff euid=staff suid=staff fsuid=staff egid=staff sgid=staff fsgid=staff tty=pts1 ses=6 comm=bz1960708 exe=/usr/local/sbin/bz1960708 subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(06/14/21 19:46:19.800:3455) : avc:  denied  { write } for  pid=43240 comm=bz1960708 name=ns_last_pid dev="proc" ino=170159 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_kernel_ns_last_pid_t:s0 tclass=file permissive=0
----
type=PROCTITLE msg=audit(06/14/21 19:46:19.822:3456) : proctitle=/usr/bin/python3 -Es /usr/sbin/setroubleshootd -f
type=PATH msg=audit(06/14/21 19:46:19.822:3456) : item=0 name=/proc/sys/kernel/ns_last_pid inode=170159 dev=00:16 mode=file,666 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysctl_kernel_ns_last_pid_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(06/14/21 19:46:19.822:3456) : cwd=/
type=SYSCALL msg=audit(06/14/21 19:46:19.822:3456) : arch=x86_64 syscall=newfstatat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x7f21671c7510 a2=0x7f2167120f60 a3=0x0 items=1 ppid=1 pid=43225 auid=unset uid=setroubleshoot gid=setroubleshoot euid=setroubleshoot suid=setroubleshoot fsuid=setroubleshoot egid=setroubleshoot sgid=setroubleshoot fsgid=setroubleshoot tty=(none) ses=unset comm=setroubleshootd exe=/usr/bin/python3.9 subj=system_u:system_r:setroubleshootd_t:s0 key=(null)
type=AVC msg=audit(06/14/21 19:46:19.822:3456) : avc:  denied  { getattr } for  pid=43225 comm=setroubleshootd path=/proc/sys/kernel/ns_last_pid dev="proc" ino=170159 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:sysctl_kernel_ns_last_pid_t:s0 tclass=file permissive=0

Comment 26 Chao Ye 2021-08-02 09:39:56 UTC

Tested with 4.18.0-305.el8:
===========================================================
[test@hp-dl385g10-04 tmp]$ getcap bz1960708_user_cap 
bz1960708_user_cap = cap_checkpoint_restore+eip
[test@hp-dl385g10-04 tmp]$ getcap bz1960708_user_nocap
[test@hp-dl385g10-04 tmp]$ ./bz1960708_user_cap 43333
Opening ns_last_pid...
Done
Writing pid-1 to ns_last_pid...
Can't write to buf
[test@hp-dl385g10-04 tmp]$ ./bz1960708_user_nocap 43333
Opening ns_last_pid...
Done
Writing pid-1 to ns_last_pid...
Can't write to buf
[test@hp-dl385g10-04 tmp]$ rpm -q libcap
libcap-2.48-2.el8.x86_64
[test@hp-dl385g10-04 tmp]$ uname -a
Linux hp-dl385g10-04.rhts.eng.pek2.redhat.com 4.18.0-305.el8.x86_64 #1 SMP Thu Apr 29 08:54:30 EDT 2021 x86_64 x86_64 x86_64 GNU/Linux



Verified with 4.18.0-327.el8:
===========================================================
[test@hp-dl385g10-04 tmp]$ getcap bz1960708_user_nocap 
[test@hp-dl385g10-04 tmp]$ getcap bz1960708_user_cap 
bz1960708_user_cap cap_checkpoint_restore=eip
[test@hp-dl385g10-04 tmp]$ ./bz1960708_user_nocap 43333
Opening ns_last_pid...
Done
Writing pid-1 to ns_last_pid...
Can't write to buf
[test@hp-dl385g10-04 tmp]$ ./bz1960708_user_cap 43333
Opening ns_last_pid...
Done
Writing pid-1 to ns_last_pid...
Done
Forking...
I'm parent. My child got right pid!
Done
Done
I'm child!
[test@hp-dl385g10-04 tmp]$ uname -a
Linux hp-dl385g10-04.rhts.eng.pek2.redhat.com 4.18.0-327.el8.x86_64 #1 SMP Fri Jul 30 19:02:07 EDT 2021 x86_64 x86_64 x86_64 GNU/Linux
[test@hp-dl385g10-04 tmp]$ rpm -q libcap
libcap-2.48-2.el8.x86_64

Comment 28 errata-xmlrpc 2021-11-09 19:18:49 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: kernel security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:4356

Note You need to log in before you can comment on or make changes to this bug.