Hide Forgot
5.9 introduced a new capability in https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/include/uapi/linux/capability.h?h=v5.9&id=124ea650d3072b005457faed69909221c2905a1f Please backport this commit so that util-linux can pick it up (specifically for setpriv). This is something we need for the CentOS Hyperscale SIG (https://pagure.io/centos-sig-hyperscale/sig/issue/43) but it would also be generally useful. For reference, https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=74858abbb1032222f922487fd1a24513bbed80f9 is the full merge commit with all related changes. Thanks!
Not sure why this bug got marked as private, could you please make it public?
fyi, https://git.centos.org/rpms/util-linux/c/128f2ce4adb3b8002efcea69f070e450bccd7378?branch=c8s-sig-hyperscale is the horrible hack I'm using to workaround this at the moment
There is currently nothing which needs CAP_CHECKPOINT_RESTORE in RHEL 8. I will still try to see if this can be easily backported.
Possible test case to verify CAP_CHECKPOINT_RESTORE: #include <sys/stat.h> #include <fcntl.h> #include <stdio.h> #include <string.h> #include <stdlib.h> #include <unistd.h> int main(int argc, char *argv[]) { int fd, pid; char buf[32]; if (argc != 2) return 1; printf("Opening ns_last_pid...\n"); fd = open("/proc/sys/kernel/ns_last_pid", O_RDWR); if (fd < 0) { perror("Can't open ns_last_pid"); return 1; } printf("Done\n"); pid = atoi(argv[1]); snprintf(buf, sizeof(buf), "%d", pid - 1); printf("Writing pid-1 to ns_last_pid...\n"); if (write(fd, buf, strlen(buf)) != strlen(buf)) { printf("Can't write to buf\n"); return 1; } printf("Done\n"); printf("Forking...\n"); int new_pid; new_pid = fork(); if (new_pid == 0) { printf("I'm child!\n"); exit(0); } else if (new_pid == pid) { printf("I'm parent. My child got right pid!\n"); } else { printf("pid does not match expected one\n"); } printf("Done\n"); close(fd); printf("Done\n"); return 0; } With a 'setcap cap_checkpoint_restore+eip ns_last_pid' this can run as non-root.
Thank you for the code example, we can use it for testing, it also made me realize the permission actually is allowed in SELinux for init_t and unconfined domains. For a confined user staff_t, on the other hand, the permission is not set and AVC denial is triggered (plus one follow-up for setroubleshootd): ---- type=PROCTITLE msg=audit(06/14/21 19:46:19.800:3455) : proctitle=/usr/local/sbin/bz1960708 43333 type=PATH msg=audit(06/14/21 19:46:19.800:3455) : item=0 name=/proc/sys/kernel/ns_last_pid inode=170159 dev=00:16 mode=file,666 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysctl_kernel_ns_last_pid_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(06/14/21 19:46:19.800:3455) : cwd=/home/staff type=SYSCALL msg=audit(06/14/21 19:46:19.800:3455) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x402027 a2=O_RDWR a3=0x0 items=1 ppid=43192 pid=43240 auid=staff uid=staff gid=staff euid=staff suid=staff fsuid=staff egid=staff sgid=staff fsgid=staff tty=pts1 ses=6 comm=bz1960708 exe=/usr/local/sbin/bz1960708 subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(06/14/21 19:46:19.800:3455) : avc: denied { write } for pid=43240 comm=bz1960708 name=ns_last_pid dev="proc" ino=170159 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_kernel_ns_last_pid_t:s0 tclass=file permissive=0 ---- type=PROCTITLE msg=audit(06/14/21 19:46:19.822:3456) : proctitle=/usr/bin/python3 -Es /usr/sbin/setroubleshootd -f type=PATH msg=audit(06/14/21 19:46:19.822:3456) : item=0 name=/proc/sys/kernel/ns_last_pid inode=170159 dev=00:16 mode=file,666 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysctl_kernel_ns_last_pid_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(06/14/21 19:46:19.822:3456) : cwd=/ type=SYSCALL msg=audit(06/14/21 19:46:19.822:3456) : arch=x86_64 syscall=newfstatat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x7f21671c7510 a2=0x7f2167120f60 a3=0x0 items=1 ppid=1 pid=43225 auid=unset uid=setroubleshoot gid=setroubleshoot euid=setroubleshoot suid=setroubleshoot fsuid=setroubleshoot egid=setroubleshoot sgid=setroubleshoot fsgid=setroubleshoot tty=(none) ses=unset comm=setroubleshootd exe=/usr/bin/python3.9 subj=system_u:system_r:setroubleshootd_t:s0 key=(null) type=AVC msg=audit(06/14/21 19:46:19.822:3456) : avc: denied { getattr } for pid=43225 comm=setroubleshootd path=/proc/sys/kernel/ns_last_pid dev="proc" ino=170159 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:sysctl_kernel_ns_last_pid_t:s0 tclass=file permissive=0
Tested with 4.18.0-305.el8: =========================================================== [test@hp-dl385g10-04 tmp]$ getcap bz1960708_user_cap bz1960708_user_cap = cap_checkpoint_restore+eip [test@hp-dl385g10-04 tmp]$ getcap bz1960708_user_nocap [test@hp-dl385g10-04 tmp]$ ./bz1960708_user_cap 43333 Opening ns_last_pid... Done Writing pid-1 to ns_last_pid... Can't write to buf [test@hp-dl385g10-04 tmp]$ ./bz1960708_user_nocap 43333 Opening ns_last_pid... Done Writing pid-1 to ns_last_pid... Can't write to buf [test@hp-dl385g10-04 tmp]$ rpm -q libcap libcap-2.48-2.el8.x86_64 [test@hp-dl385g10-04 tmp]$ uname -a Linux hp-dl385g10-04.rhts.eng.pek2.redhat.com 4.18.0-305.el8.x86_64 #1 SMP Thu Apr 29 08:54:30 EDT 2021 x86_64 x86_64 x86_64 GNU/Linux Verified with 4.18.0-327.el8: =========================================================== [test@hp-dl385g10-04 tmp]$ getcap bz1960708_user_nocap [test@hp-dl385g10-04 tmp]$ getcap bz1960708_user_cap bz1960708_user_cap cap_checkpoint_restore=eip [test@hp-dl385g10-04 tmp]$ ./bz1960708_user_nocap 43333 Opening ns_last_pid... Done Writing pid-1 to ns_last_pid... Can't write to buf [test@hp-dl385g10-04 tmp]$ ./bz1960708_user_cap 43333 Opening ns_last_pid... Done Writing pid-1 to ns_last_pid... Done Forking... I'm parent. My child got right pid! Done Done I'm child! [test@hp-dl385g10-04 tmp]$ uname -a Linux hp-dl385g10-04.rhts.eng.pek2.redhat.com 4.18.0-327.el8.x86_64 #1 SMP Fri Jul 30 19:02:07 EDT 2021 x86_64 x86_64 x86_64 GNU/Linux [test@hp-dl385g10-04 tmp]$ rpm -q libcap libcap-2.48-2.el8.x86_64
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: kernel security, bug fix, and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:4356