Patchwork [PULL] VirtFS update

login
register
mail settings
Submitter Aneesh Kumar K.V
Date Dec. 5, 2012, 4:37 p.m.
Message ID <87d2yoe9q2.fsf@linux.vnet.ibm.com>
Download mbox | patch
Permalink /patch/203900/
State New
Headers show

Pull-request

git://github.com/kvaneesh/qemu.git for-upstream

Comments

Aneesh Kumar K.V - Dec. 5, 2012, 4:37 p.m.
The following changes since commit 16c6c80ac3a772b42a87b77dfdf0fdac7c607b0e:

  Open up 1.4 development branch (2012-12-03 14:08:40 -0600)

are available in the git repository at:

  git://github.com/kvaneesh/qemu.git for-upstream

for you to fetch changes up to 9fd2ecdc8cb2dc1a8a7c57b6c9c60bc9947b6a73:

  virtfs-proxy-helper: use setresuid and setresgid (2012-12-05 21:55:54 +0530)

----------------------------------------------------------------
Paolo Bonzini (1):
      virtfs-proxy-helper: use setresuid and setresgid

 fsdev/virtfs-proxy-helper.c |   93 +++++++++++++++++++++++++++++--------------
 1 file changed, 64 insertions(+), 29 deletions(-)
Anthony Liguori - Dec. 10, 2012, 4:58 p.m.
"Aneesh Kumar K.V" <aneesh.kumar@linux.vnet.ibm.com> writes:

> The following changes since commit 16c6c80ac3a772b42a87b77dfdf0fdac7c607b0e:
>
>   Open up 1.4 development branch (2012-12-03 14:08:40 -0600)
>
> are available in the git repository at:
>
>   git://github.com/kvaneesh/qemu.git for-upstream
>
> for you to fetch changes up to 9fd2ecdc8cb2dc1a8a7c57b6c9c60bc9947b6a73:
>
>   virtfs-proxy-helper: use setresuid and setresgid (2012-12-05 21:55:54 +0530)
>

Pulled. Thanks.

Regards,

Anthony Liguori

> ----------------------------------------------------------------
> Paolo Bonzini (1):
>       virtfs-proxy-helper: use setresuid and setresgid
>
>  fsdev/virtfs-proxy-helper.c |   93 +++++++++++++++++++++++++++++--------------
>  1 file changed, 64 insertions(+), 29 deletions(-)
>
> diff --git a/fsdev/virtfs-proxy-helper.c b/fsdev/virtfs-proxy-helper.c
> index f9a8270..df2a939 100644
> --- a/fsdev/virtfs-proxy-helper.c
> +++ b/fsdev/virtfs-proxy-helper.c
> @@ -272,31 +272,76 @@ static int send_status(int sockfd, struct iovec *iovec, int status)
>  /*
>   * from man 7 capabilities, section
>   * Effect of User ID Changes on Capabilities:
> - * 4. If the file system user ID is changed from 0 to nonzero (see setfsuid(2))
> - * then the following capabilities are cleared from the effective set:
> - * CAP_CHOWN, CAP_DAC_OVERRIDE, CAP_DAC_READ_SEARCH,  CAP_FOWNER, CAP_FSETID,
> - * CAP_LINUX_IMMUTABLE  (since  Linux 2.2.30), CAP_MAC_OVERRIDE, and CAP_MKNOD
> - * (since Linux 2.2.30). If the file system UID is changed from nonzero to 0,
> - * then any of these capabilities that are enabled in the permitted set
> - * are enabled in the effective set.
> + * If the effective user ID is changed from nonzero to 0, then the permitted
> + * set is copied to the effective set.  If the effective user ID is changed
> + * from 0 to nonzero, then all capabilities are are cleared from the effective
> + * set.
> + *
> + * The setfsuid/setfsgid man pages warn that changing the effective user ID may
> + * expose the program to unwanted signals, but this is not true anymore: for an
> + * unprivileged (without CAP_KILL) program to send a signal, the real or
> + * effective user ID of the sending process must equal the real or saved user
> + * ID of the target process.  Even when dropping privileges, it is enough to
> + * keep the saved UID to a "privileged" value and virtfs-proxy-helper won't
> + * be exposed to signals.  So just use setresuid/setresgid.
>   */
> -static int setfsugid(int uid, int gid)
> +static int setugid(int uid, int gid, int *suid, int *sgid)
>  {
> +    int retval;
> +
>      /*
> -     * We still need DAC_OVERRIDE because  we don't change
> +     * We still need DAC_OVERRIDE because we don't change
>       * supplementary group ids, and hence may be subjected DAC rules
>       */
>      cap_value_t cap_list[] = {
>          CAP_DAC_OVERRIDE,
>      };
>  
> -    setfsgid(gid);
> -    setfsuid(uid);
> +    *suid = geteuid();
> +    *sgid = getegid();
> +
> +    if (setresgid(-1, gid, *sgid) == -1) {
> +        retval = -errno;
> +        goto err_out;
> +    }
> +
> +    if (setresuid(-1, uid, *suid) == -1) {
> +        retval = -errno;
> +        goto err_sgid;
> +    }
>  
>      if (uid != 0 || gid != 0) {
> -        return do_cap_set(cap_list, ARRAY_SIZE(cap_list), 0);
> +        if (do_cap_set(cap_list, ARRAY_SIZE(cap_list), 0) < 0) {
> +            retval = -errno;
> +            goto err_suid;
> +        }
>      }
>      return 0;
> +
> +err_suid:
> +    if (setresuid(-1, *suid, *suid) == -1) {
> +        abort();
> +    }
> +err_sgid:
> +    if (setresgid(-1, *sgid, *sgid) == -1) {
> +        abort();
> +    }
> +err_out:
> +    return retval;
> +}
> +
> +/*
> + * This is used to reset the ugid back with the saved values
> + * There is nothing much we can do checking error values here.
> + */
> +static void resetugid(int suid, int sgid)
> +{
> +    if (setresgid(-1, sgid, sgid) == -1) {
> +        abort();
> +    }
> +    if (setresuid(-1, suid, suid) == -1) {
> +        abort();
> +    }
>  }
>  
>  /*
> @@ -578,18 +623,15 @@ static int do_create_others(int type, struct iovec *iovec)
>  
>      v9fs_string_init(&path);
>      v9fs_string_init(&oldpath);
> -    cur_uid = geteuid();
> -    cur_gid = getegid();
>  
>      retval = proxy_unmarshal(iovec, offset, "dd", &uid, &gid);
>      if (retval < 0) {
>          return retval;
>      }
>      offset += retval;
> -    retval = setfsugid(uid, gid);
> +    retval = setugid(uid, gid, &cur_uid, &cur_gid);
>      if (retval < 0) {
> -        retval = -errno;
> -        goto err_out;
> +        goto unmarshal_err_out;
>      }
>      switch (type) {
>      case T_MKNOD:
> @@ -619,9 +661,10 @@ static int do_create_others(int type, struct iovec *iovec)
>      }
>  
>  err_out:
> +    resetugid(cur_uid, cur_gid);
> +unmarshal_err_out:
>      v9fs_string_free(&path);
>      v9fs_string_free(&oldpath);
> -    setfsugid(cur_uid, cur_gid);
>      return retval;
>  }
>  
> @@ -641,24 +684,16 @@ static int do_create(struct iovec *iovec)
>      if (ret < 0) {
>          goto unmarshal_err_out;
>      }
> -    cur_uid = geteuid();
> -    cur_gid = getegid();
> -    ret = setfsugid(uid, gid);
> +    ret = setugid(uid, gid, &cur_uid, &cur_gid);
>      if (ret < 0) {
> -        /*
> -         * On failure reset back to the
> -         * old uid/gid
> -         */
> -        ret = -errno;
> -        goto err_out;
> +        goto unmarshal_err_out;
>      }
>      ret = open(path.data, flags, mode);
>      if (ret < 0) {
>          ret = -errno;
>      }
>  
> -err_out:
> -    setfsugid(cur_uid, cur_gid);
> +    resetugid(cur_uid, cur_gid);
>  unmarshal_err_out:
>      v9fs_string_free(&path);
>      return ret;

Patch

diff --git a/fsdev/virtfs-proxy-helper.c b/fsdev/virtfs-proxy-helper.c
index f9a8270..df2a939 100644
--- a/fsdev/virtfs-proxy-helper.c
+++ b/fsdev/virtfs-proxy-helper.c
@@ -272,31 +272,76 @@  static int send_status(int sockfd, struct iovec *iovec, int status)
 /*
  * from man 7 capabilities, section
  * Effect of User ID Changes on Capabilities:
- * 4. If the file system user ID is changed from 0 to nonzero (see setfsuid(2))
- * then the following capabilities are cleared from the effective set:
- * CAP_CHOWN, CAP_DAC_OVERRIDE, CAP_DAC_READ_SEARCH,  CAP_FOWNER, CAP_FSETID,
- * CAP_LINUX_IMMUTABLE  (since  Linux 2.2.30), CAP_MAC_OVERRIDE, and CAP_MKNOD
- * (since Linux 2.2.30). If the file system UID is changed from nonzero to 0,
- * then any of these capabilities that are enabled in the permitted set
- * are enabled in the effective set.
+ * If the effective user ID is changed from nonzero to 0, then the permitted
+ * set is copied to the effective set.  If the effective user ID is changed
+ * from 0 to nonzero, then all capabilities are are cleared from the effective
+ * set.
+ *
+ * The setfsuid/setfsgid man pages warn that changing the effective user ID may
+ * expose the program to unwanted signals, but this is not true anymore: for an
+ * unprivileged (without CAP_KILL) program to send a signal, the real or
+ * effective user ID of the sending process must equal the real or saved user
+ * ID of the target process.  Even when dropping privileges, it is enough to
+ * keep the saved UID to a "privileged" value and virtfs-proxy-helper won't
+ * be exposed to signals.  So just use setresuid/setresgid.
  */
-static int setfsugid(int uid, int gid)
+static int setugid(int uid, int gid, int *suid, int *sgid)
 {
+    int retval;
+
     /*
-     * We still need DAC_OVERRIDE because  we don't change
+     * We still need DAC_OVERRIDE because we don't change
      * supplementary group ids, and hence may be subjected DAC rules
      */
     cap_value_t cap_list[] = {
         CAP_DAC_OVERRIDE,
     };
 
-    setfsgid(gid);
-    setfsuid(uid);
+    *suid = geteuid();
+    *sgid = getegid();
+
+    if (setresgid(-1, gid, *sgid) == -1) {
+        retval = -errno;
+        goto err_out;
+    }
+
+    if (setresuid(-1, uid, *suid) == -1) {
+        retval = -errno;
+        goto err_sgid;
+    }
 
     if (uid != 0 || gid != 0) {
-        return do_cap_set(cap_list, ARRAY_SIZE(cap_list), 0);
+        if (do_cap_set(cap_list, ARRAY_SIZE(cap_list), 0) < 0) {
+            retval = -errno;
+            goto err_suid;
+        }
     }
     return 0;
+
+err_suid:
+    if (setresuid(-1, *suid, *suid) == -1) {
+        abort();
+    }
+err_sgid:
+    if (setresgid(-1, *sgid, *sgid) == -1) {
+        abort();
+    }
+err_out:
+    return retval;
+}
+
+/*
+ * This is used to reset the ugid back with the saved values
+ * There is nothing much we can do checking error values here.
+ */
+static void resetugid(int suid, int sgid)
+{
+    if (setresgid(-1, sgid, sgid) == -1) {
+        abort();
+    }
+    if (setresuid(-1, suid, suid) == -1) {
+        abort();
+    }
 }
 
 /*
@@ -578,18 +623,15 @@  static int do_create_others(int type, struct iovec *iovec)
 
     v9fs_string_init(&path);
     v9fs_string_init(&oldpath);
-    cur_uid = geteuid();
-    cur_gid = getegid();
 
     retval = proxy_unmarshal(iovec, offset, "dd", &uid, &gid);
     if (retval < 0) {
         return retval;
     }
     offset += retval;
-    retval = setfsugid(uid, gid);
+    retval = setugid(uid, gid, &cur_uid, &cur_gid);
     if (retval < 0) {
-        retval = -errno;
-        goto err_out;
+        goto unmarshal_err_out;
     }
     switch (type) {
     case T_MKNOD:
@@ -619,9 +661,10 @@  static int do_create_others(int type, struct iovec *iovec)
     }
 
 err_out:
+    resetugid(cur_uid, cur_gid);
+unmarshal_err_out:
     v9fs_string_free(&path);
     v9fs_string_free(&oldpath);
-    setfsugid(cur_uid, cur_gid);
     return retval;
 }
 
@@ -641,24 +684,16 @@  static int do_create(struct iovec *iovec)
     if (ret < 0) {
         goto unmarshal_err_out;
     }
-    cur_uid = geteuid();
-    cur_gid = getegid();
-    ret = setfsugid(uid, gid);
+    ret = setugid(uid, gid, &cur_uid, &cur_gid);
     if (ret < 0) {
-        /*
-         * On failure reset back to the
-         * old uid/gid
-         */
-        ret = -errno;
-        goto err_out;
+        goto unmarshal_err_out;
     }
     ret = open(path.data, flags, mode);
     if (ret < 0) {
         ret = -errno;
     }
 
-err_out:
-    setfsugid(cur_uid, cur_gid);
+    resetugid(cur_uid, cur_gid);
 unmarshal_err_out:
     v9fs_string_free(&path);
     return ret;