Re: [PATCH] virtiofsd: Allow capability restriction to be turned off
Patchew URL: https://patchew.org/QEMU/20200619171809.30984-1-dgilb...@redhat.com/ Hi, This series failed the asan build test. Please find the testing commands and their output below. If you have Docker installed, you can probably reproduce it locally. === TEST SCRIPT BEGIN === #!/bin/bash export ARCH=x86_64 make docker-image-fedora V=1 NETWORK=1 time make docker-test-debug@fedora TARGET_LIST=x86_64-softmmu J=14 NETWORK=1 === TEST SCRIPT END === GEN docs/interop/qemu-qmp-ref.txt GEN docs/interop/qemu-qmp-ref.7 CC qga/commands.o /usr/bin/ld: /usr/lib64/clang/10.0.0/lib/linux/libclang_rt.asan-x86_64.a(asan_interceptors_vfork.S.o): warning: common of `__interception::real_vfork' overridden by definition from /usr/lib64/clang/10.0.0/lib/linux/libclang_rt.asan-x86_64.a(asan_interceptors.cpp.o) CC qga/guest-agent-command-state.o CC qga/main.o CC qga/commands-posix.o --- GEN docs/interop/qemu-ga-ref.html GEN docs/interop/qemu-ga-ref.txt GEN docs/interop/qemu-ga-ref.7 /usr/bin/ld: /usr/lib64/clang/10.0.0/lib/linux/libclang_rt.asan-x86_64.a(asan_interceptors_vfork.S.o): warning: common of `__interception::real_vfork' overridden by definition from /usr/lib64/clang/10.0.0/lib/linux/libclang_rt.asan-x86_64.a(asan_interceptors.cpp.o) LINKqemu-keymap LINKivshmem-client LINKivshmem-server /usr/bin/ld: /usr/lib64/clang/10.0.0/lib/linux/libclang_rt.asan-x86_64.a(asan_interceptors_vfork.S.o): warning: common of `__interception::real_vfork' overridden by definition from /usr/lib64/clang/10.0.0/lib/linux/libclang_rt.asan-x86_64.a(asan_interceptors.cpp.o) /usr/bin/ld: /usr/lib64/clang/10.0.0/lib/linux/libclang_rt.asan-x86_64.a(asan_interceptors_vfork.S.o): warning: common of `__interception::real_vfork' overridden by definition from /usr/lib64/clang/10.0.0/lib/linux/libclang_rt.asan-x86_64.a(asan_interceptors.cpp.o) AS pc-bios/optionrom/multiboot.o AS pc-bios/optionrom/linuxboot.o CC pc-bios/optionrom/linuxboot_dma.o AS pc-bios/optionrom/kvmvapic.o /usr/bin/ld: /usr/lib64/clang/10.0.0/lib/linux/libclang_rt.asan-x86_64.a(asan_interceptors_vfork.S.o): warning: common of `__interception::real_vfork' overridden by definition from /usr/lib64/clang/10.0.0/lib/linux/libclang_rt.asan-x86_64.a(asan_interceptors.cpp.o) LINKqemu-nbd LINKqemu-storage-daemon AS pc-bios/optionrom/pvh.o LINKqemu-img /usr/bin/ld: /usr/lib64/clang/10.0.0/lib/linux/libclang_rt.asan-x86_64.a(asan_interceptors_vfork.S.o): warning: common of `__interception::real_vfork' overridden by definition from /usr/lib64/clang/10.0.0/lib/linux/libclang_rt.asan-x86_64.a(asan_interceptors.cpp.o) /usr/bin/ld: /usr/lib64/clang/10.0.0/lib/linux/libclang_rt.asan-x86_64.a(asan_interceptors_vfork.S.o): warning: common of `__interception::real_vfork' overridden by definition from /usr/lib64/clang/10.0.0/lib/linux/libclang_rt.asan-x86_64.a(asan_interceptors.cpp.o) LINKqemu-io CC pc-bios/optionrom/pvh_main.o BUILD pc-bios/optionrom/multiboot.img /usr/bin/ld: /usr/lib64/clang/10.0.0/lib/linux/libclang_rt.asan-x86_64.a(asan_interceptors_vfork.S.o): warning: common of `__interception::real_vfork' overridden by definition from /usr/lib64/clang/10.0.0/lib/linux/libclang_rt.asan-x86_64.a(asan_interceptors.cpp.o) /usr/bin/ld: /usr/lib64/clang/10.0.0/lib/linux/libclang_rt.asan-x86_64.a(asan_interceptors_vfork.S.o): warning: common of `__interception::real_vfork' overridden by definition from /usr/lib64/clang/10.0.0/lib/linux/libclang_rt.asan-x86_64.a(asan_interceptors.cpp.o) BUILD pc-bios/optionrom/linuxboot.img BUILD pc-bios/optionrom/kvmvapic.img LINKqemu-edid BUILD pc-bios/optionrom/multiboot.raw /usr/bin/ld: /usr/lib64/clang/10.0.0/lib/linux/libclang_rt.asan-x86_64.a(asan_interceptors_vfork.S.o): warning: common of `__interception::real_vfork' overridden by definition from /usr/lib64/clang/10.0.0/lib/linux/libclang_rt.asan-x86_64.a(asan_interceptors.cpp.o) BUILD pc-bios/optionrom/linuxboot.raw BUILD pc-bios/optionrom/kvmvapic.raw SIGNpc-bios/optionrom/multiboot.bin LINKfsdev/virtfs-proxy-helper SIGNpc-bios/optionrom/linuxboot.bin /usr/bin/ld: /usr/lib64/clang/10.0.0/lib/linux/libclang_rt.asan-x86_64.a(asan_interceptors_vfork.S.o): warning: common of `__interception::real_vfork' overridden by definition from /usr/lib64/clang/10.0.0/lib/linux/libclang_rt.asan-x86_64.a(asan_interceptors.cpp.o) BUILD pc-bios/optionrom/linuxboot_dma.img SIGNpc-bios/optionrom/kvmvapic.bin BUILD pc-bios/optionrom/pvh.img --- SIGNpc-bios/optionrom/linuxboot_dma.bin SIGNpc-bios/optionrom/pvh.bin LINKscsi/qemu-pr-helper /usr/bin/ld: /usr/lib64/clang/10.0.0/lib/linux/libclang_rt.asan-x86_64.a(asan_interceptors_vfork.S.o): warning: common of `__interception::real_vfork' overridden by definition from
Re: [PATCH] virtiofsd: Allow capability restriction to be turned off
On Fri, Jun 19, 2020 at 06:18:09PM +0100, Dr. David Alan Gilbert (git) wrote:
> From: "Dr. David Alan Gilbert"
>
> Commit a59feb483b8fae24d043 dropped most capabilities at startup,
> since in most cases virtiofsd doesn't need them. Unfortunately we found
> a case that needs CAP_SYS_ADMIN - setting trusted extended attributes.
> It's rare to need it, and the clean fix for it is going to be more
> complicated, but as a way for existing users to continue, allow the
> capability restriction to be turned off by adding
>
> -o no_restrictcaps
>
> We still drop the capabilities by default since this seems much safer;
> even if we don't have an explicit problem to fix.
>
Hi David,
In one of the emails, Daniel suggested option "--trusted-xattrs=on|off".
How about we use that and if that option is specified, we automatically
give CAP_SYS_ADMIN as well. Something to consider.
This probably could be extended later to "--trusted-xattrs=on|off|remapped"
when we have the capability to remap. And in case of "off/remap" we can take
away CAP_SYS_ADMIN.
Vivek
> Signed-off-by: Dr. David Alan Gilbert
> ---
> docs/tools/virtiofsd.rst | 3 +++
> tools/virtiofsd/helper.c | 3 +++
> tools/virtiofsd/passthrough_ll.c | 8 +++-
> 3 files changed, 13 insertions(+), 1 deletion(-)
>
> diff --git a/docs/tools/virtiofsd.rst b/docs/tools/virtiofsd.rst
> index 378594c422..8819d7d19e 100644
> --- a/docs/tools/virtiofsd.rst
> +++ b/docs/tools/virtiofsd.rst
> @@ -81,6 +81,9 @@ Options
> Enable/disable extended attributes (xattr) on files and directories. The
> default is ``no_xattr``.
>
> + * restrictcaps|no_restrictcaps\n"
> +Restrict capabilities at startup. The default is ``restrictcaps``.
> +
> .. option:: --socket-path=PATH
>
>Listen on vhost-user UNIX domain socket at PATH.
> diff --git a/tools/virtiofsd/helper.c b/tools/virtiofsd/helper.c
> index 00a1ef666a..51ed9fbed0 100644
> --- a/tools/virtiofsd/helper.c
> +++ b/tools/virtiofsd/helper.c
> @@ -174,6 +174,9 @@ void fuse_cmdline_help(void)
> " default: no_writeback\n"
> "-o xattr|no_xattr enable/disable xattr\n"
> " default: no_xattr\n"
> + "-o restrictcaps|no_restrictcaps\n"
> + " restrict capabilities at
> startup\n"
> + " default: restrictcaps\n"
> "--rlimit-nofile= set maximum number of file
> descriptors\n"
> " (0 leaves rlimit unchanged)\n"
> " default: min(100, fs.file-max
> - 16384)\n"
> diff --git a/tools/virtiofsd/passthrough_ll.c
> b/tools/virtiofsd/passthrough_ll.c
> index 2ce7c96085..8dee657b19 100644
> --- a/tools/virtiofsd/passthrough_ll.c
> +++ b/tools/virtiofsd/passthrough_ll.c
> @@ -144,6 +144,7 @@ struct lo_data {
> int flock;
> int posix_lock;
> int xattr;
> +int restrictcaps;
> char *source;
> double timeout;
> int cache;
> @@ -170,6 +171,8 @@ static const struct fuse_opt lo_opts[] = {
> { "no_posix_lock", offsetof(struct lo_data, posix_lock), 0 },
> { "xattr", offsetof(struct lo_data, xattr), 1 },
> { "no_xattr", offsetof(struct lo_data, xattr), 0 },
> +{ "restrictcaps", offsetof(struct lo_data, restrictcaps), 1 },
> +{ "no_restrictcaps", offsetof(struct lo_data, restrictcaps), 0 },
> { "timeout=%lf", offsetof(struct lo_data, timeout), 0 },
> { "timeout=", offsetof(struct lo_data, timeout_set), 1 },
> { "cache=none", offsetof(struct lo_data, cache), CACHE_NONE },
> @@ -2615,7 +2618,9 @@ static void setup_sandbox(struct lo_data *lo, struct
> fuse_session *se,
> setup_namespaces(lo, se);
> setup_mounts(lo->source);
> setup_seccomp(enable_syslog);
> -setup_capabilities();
> +if (lo->restrictcaps) {
> +setup_capabilities();
> +}
> }
>
> /* Set the maximum number of open file descriptors */
> @@ -2764,6 +2769,7 @@ int main(int argc, char *argv[])
> .writeback = 0,
> .posix_lock = 1,
> .proc_self_fd = -1,
> +.restrictcaps = 1,
> };
> struct lo_map_elem *root_elem;
> int ret = -1;
> --
> 2.26.2
>
[PATCH] virtiofsd: Allow capability restriction to be turned off
From: "Dr. David Alan Gilbert"
Commit a59feb483b8fae24d043 dropped most capabilities at startup,
since in most cases virtiofsd doesn't need them. Unfortunately we found
a case that needs CAP_SYS_ADMIN - setting trusted extended attributes.
It's rare to need it, and the clean fix for it is going to be more
complicated, but as a way for existing users to continue, allow the
capability restriction to be turned off by adding
-o no_restrictcaps
We still drop the capabilities by default since this seems much safer;
even if we don't have an explicit problem to fix.
Signed-off-by: Dr. David Alan Gilbert
---
docs/tools/virtiofsd.rst | 3 +++
tools/virtiofsd/helper.c | 3 +++
tools/virtiofsd/passthrough_ll.c | 8 +++-
3 files changed, 13 insertions(+), 1 deletion(-)
diff --git a/docs/tools/virtiofsd.rst b/docs/tools/virtiofsd.rst
index 378594c422..8819d7d19e 100644
--- a/docs/tools/virtiofsd.rst
+++ b/docs/tools/virtiofsd.rst
@@ -81,6 +81,9 @@ Options
Enable/disable extended attributes (xattr) on files and directories. The
default is ``no_xattr``.
+ * restrictcaps|no_restrictcaps\n"
+Restrict capabilities at startup. The default is ``restrictcaps``.
+
.. option:: --socket-path=PATH
Listen on vhost-user UNIX domain socket at PATH.
diff --git a/tools/virtiofsd/helper.c b/tools/virtiofsd/helper.c
index 00a1ef666a..51ed9fbed0 100644
--- a/tools/virtiofsd/helper.c
+++ b/tools/virtiofsd/helper.c
@@ -174,6 +174,9 @@ void fuse_cmdline_help(void)
" default: no_writeback\n"
"-o xattr|no_xattr enable/disable xattr\n"
" default: no_xattr\n"
+ "-o restrictcaps|no_restrictcaps\n"
+ " restrict capabilities at startup\n"
+ " default: restrictcaps\n"
"--rlimit-nofile= set maximum number of file
descriptors\n"
" (0 leaves rlimit unchanged)\n"
" default: min(100, fs.file-max -
16384)\n"
diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough_ll.c
index 2ce7c96085..8dee657b19 100644
--- a/tools/virtiofsd/passthrough_ll.c
+++ b/tools/virtiofsd/passthrough_ll.c
@@ -144,6 +144,7 @@ struct lo_data {
int flock;
int posix_lock;
int xattr;
+int restrictcaps;
char *source;
double timeout;
int cache;
@@ -170,6 +171,8 @@ static const struct fuse_opt lo_opts[] = {
{ "no_posix_lock", offsetof(struct lo_data, posix_lock), 0 },
{ "xattr", offsetof(struct lo_data, xattr), 1 },
{ "no_xattr", offsetof(struct lo_data, xattr), 0 },
+{ "restrictcaps", offsetof(struct lo_data, restrictcaps), 1 },
+{ "no_restrictcaps", offsetof(struct lo_data, restrictcaps), 0 },
{ "timeout=%lf", offsetof(struct lo_data, timeout), 0 },
{ "timeout=", offsetof(struct lo_data, timeout_set), 1 },
{ "cache=none", offsetof(struct lo_data, cache), CACHE_NONE },
@@ -2615,7 +2618,9 @@ static void setup_sandbox(struct lo_data *lo, struct
fuse_session *se,
setup_namespaces(lo, se);
setup_mounts(lo->source);
setup_seccomp(enable_syslog);
-setup_capabilities();
+if (lo->restrictcaps) {
+setup_capabilities();
+}
}
/* Set the maximum number of open file descriptors */
@@ -2764,6 +2769,7 @@ int main(int argc, char *argv[])
.writeback = 0,
.posix_lock = 1,
.proc_self_fd = -1,
+.restrictcaps = 1,
};
struct lo_map_elem *root_elem;
int ret = -1;
--
2.26.2
