The following pull request was submitted through Github. It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/4772
This e-mail was sent by the LXC bot, direct replies will not reach the author unless they happen to be subscribed to this list. === Description (from pull-request) ===
From 5fe6f782a863a5ae7875e21a37f8ee728e695652 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?St=C3=A9phane=20Graber?= <[email protected]> Date: Wed, 11 Jul 2018 00:47:14 -0400 Subject: [PATCH 1/2] doc: Document uid/gid/mode for proxy MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Stéphane Graber <[email protected]> --- doc/containers.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/doc/containers.md b/doc/containers.md index 849432cfd..fe4305710 100644 --- a/doc/containers.md +++ b/doc/containers.md @@ -448,6 +448,9 @@ Key | Type | Default | Required | Description listen | string | - | yes | The address and port to bind and listen connect | string | - | yes | The address and port to connect to bind | string | host | no | Which side to bind on (host/container) +uid | int | 0 | no | UID of the owner of the listening Unix socket +gid | int | 0 | no | GID of the owner of the listening Unix socket +mode | int | 0660 | no | Mode for the listening Unix socket ``` lxc config device add <container> <device-name> proxy listen=<type>:<addr>:<port>[-<port>][,<port>] connect=<type>:<addr>:<port> bind=<host/container> From 4ba2f3d894d3790dceaf11097eb496faa3953233 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?St=C3=A9phane=20Graber?= <[email protected]> Date: Wed, 11 Jul 2018 01:29:33 -0400 Subject: [PATCH 2/2] proxy: Implement security.{uid,gid} for priv drop MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Closes #4768 Signed-off-by: Stéphane Graber <[email protected]> --- doc/api-extensions.md | 5 +++++ doc/containers.md | 18 ++++++++++-------- lxd/container.go | 4 ++++ lxd/container_lxc.go | 4 +++- lxd/main_forkproxy.go | 29 +++++++++++++++++++++++++++-- lxd/proxy_device_utils.go | 4 ++++ shared/version/api.go | 1 + 7 files changed, 54 insertions(+), 11 deletions(-) diff --git a/doc/api-extensions.md b/doc/api-extensions.md index a16527207..32e930b9d 100644 --- a/doc/api-extensions.md +++ b/doc/api-extensions.md @@ -540,3 +540,8 @@ sockets. ## container\_protection\_delete Enables setting the `security.protection.delete` field which prevents containers from being deleted if set to true. Snapshots are not affected by this setting. + +## proxy\_priv\_drop +Adds security.uid and security.gid for the proxy devices, allowing +privilege dropping and effectively changing the uid/gid used for +connections to Unix sockets too. diff --git a/doc/containers.md b/doc/containers.md index fe4305710..0f3f9af63 100644 --- a/doc/containers.md +++ b/doc/containers.md @@ -443,14 +443,16 @@ The supported connection types are: * `UDP <-> UNIX` * `UNIX <-> UDP` -Key | Type | Default | Required | Description -:-- | :-- | :-- | :-- | :-- -listen | string | - | yes | The address and port to bind and listen -connect | string | - | yes | The address and port to connect to -bind | string | host | no | Which side to bind on (host/container) -uid | int | 0 | no | UID of the owner of the listening Unix socket -gid | int | 0 | no | GID of the owner of the listening Unix socket -mode | int | 0660 | no | Mode for the listening Unix socket +Key | Type | Default | Required | Description +:-- | :-- | :-- | :-- | :-- +listen | string | - | yes | The address and port to bind and listen +connect | string | - | yes | The address and port to connect to +bind | string | host | no | Which side to bind on (host/container) +uid | int | 0 | no | UID of the owner of the listening Unix socket +gid | int | 0 | no | GID of the owner of the listening Unix socket +mode | int | 0755 | no | Mode for the listening Unix socket +security.uid | int | 0 | no | What UID to drop privilege to +security.gid | int | 0 | no | What GID to drop privilege to ``` lxc config device add <container> <device-name> proxy listen=<type>:<addr>:<port>[-<port>][,<port>] connect=<type>:<addr>:<port> bind=<host/container> diff --git a/lxd/container.go b/lxd/container.go index 2e4f6c440..d748aa597 100644 --- a/lxd/container.go +++ b/lxd/container.go @@ -237,6 +237,10 @@ func containerValidDeviceConfigKey(t, k string) bool { return true case "mode": return true + case "security.gid": + return true + case "security.uid": + return true case "uid": return true default: diff --git a/lxd/container_lxc.go b/lxd/container_lxc.go index 2b20819d8..2cee8ad1d 100644 --- a/lxd/container_lxc.go +++ b/lxd/container_lxc.go @@ -6871,7 +6871,9 @@ func (c *containerLXC) insertProxyDevice(devName string, m types.Device) error { pidPath, proxyValues.listenAddrGid, proxyValues.listenAddrUid, - proxyValues.listenAddrMode) + proxyValues.listenAddrMode, + proxyValues.securityGid, + proxyValues.securityUid) if err != nil { return fmt.Errorf("Error occurred when starting proxy device: %s", err) } diff --git a/lxd/main_forkproxy.go b/lxd/main_forkproxy.go index cdf942230..4f6d94ca1 100644 --- a/lxd/main_forkproxy.go +++ b/lxd/main_forkproxy.go @@ -299,7 +299,7 @@ type udpSession struct { func (c *cmdForkproxy) Command() *cobra.Command { // Main subcommand cmd := &cobra.Command{} - cmd.Use = "forkproxy <listen PID> <listen address> <connect PID> <connect address> <fd> <reexec> <log path> <pid path>" + cmd.Use = "forkproxy <listen PID> <listen address> <connect PID> <connect address> <log path> <pid path> <listen gid> <listen uid> <listen mode> <security gid> <security uid>" cmd.Short = "Setup network connection proxying" cmd.Long = `Description: Setup network connection proxying @@ -403,7 +403,7 @@ func (c *cmdForkproxy) Run(cmd *cobra.Command, args []string) error { } // Sanity checks - if len(args) != 9 { + if len(args) != 11 { cmd.Help() if len(args) == 0 { @@ -556,6 +556,31 @@ func (c *cmdForkproxy) Run(cmd *cobra.Command, args []string) error { } } + // Drop privilege if requested + if args[9] != "" { + gid, err := strconv.ParseInt(args[9], 10, 32) + if err != nil { + return err + } + + errno := C.setgid(C.__gid_t(gid)) + if errno < 0 { + return fmt.Errorf("setgid: %v", errno) + } + } + + if args[10] != "" { + uid, err := strconv.ParseInt(args[10], 10, 32) + if err != nil { + return err + } + + errno := C.setuid(C.__uid_t(uid)) + if errno < 0 { + return fmt.Errorf("setuid: %v", errno) + } + } + // Handle SIGTERM which is sent when the proxy is to be removed sigs := make(chan os.Signal, 1) signal.Notify(sigs, syscall.SIGTERM) diff --git a/lxd/proxy_device_utils.go b/lxd/proxy_device_utils.go index 30733af2b..176feb757 100644 --- a/lxd/proxy_device_utils.go +++ b/lxd/proxy_device_utils.go @@ -21,6 +21,8 @@ type proxyProcInfo struct { listenAddrGid string listenAddrUid string listenAddrMode string + securityUid string + securityGid string } func setupProxyProcInfo(c container, device map[string]string) (*proxyProcInfo, error) { @@ -64,6 +66,8 @@ func setupProxyProcInfo(c container, device map[string]string) (*proxyProcInfo, listenAddrGid: device["gid"], listenAddrUid: device["uid"], listenAddrMode: device["mode"], + securityGid: device["security.gid"], + securityUid: device["security.uid"], } return p, nil diff --git a/shared/version/api.go b/shared/version/api.go index 3a673206f..56a455d97 100644 --- a/shared/version/api.go +++ b/shared/version/api.go @@ -113,6 +113,7 @@ var APIExtensions = []string{ "network_state", "proxy_unix_dac_properties", "container_protection_delete", + "unix_priv_drop", } // APIExtensionsCount returns the number of available API extensions.
_______________________________________________ lxc-devel mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-devel
