vserver development mailing list: RE: [vserver] Capabilities in Vserver Kernels

From: Joe Gooch <mrwizard_at_k12system.com>
Date: Fri 20 Jun 2008 - 15:23:22 BST
Message-ID: <A8B39189E548604792E5213D18A9DB62190F5428@deagol.win.k12system.com>

Daniel/Others...

Any thoughts?
http://users.k12system.com/mrwizard/software/patch-vserver-cap_bound_set.diff

Joe

> -----Original Message-----
> From: Joe Gooch [mailto:mrwizard@k12system.com]
> Sent: Monday, June 16, 2008 10:14 PM
> To: Daniel Hokka Zakrisson
> Cc: vserver@list.linux-vserver.org
> Subject: Re: [vserver] Capabilities in Vserver Kernels
>
> Your patch: allows guests to change /proc/sys/kernel/cap-bound.
> My patch: prevents chcontext from intersecting I, E, and P
> with cap-bound. (instead, it uses bcapabilities)
>
> I don't change the meanings of any variables.
>
>
> Here's an example of the breakage.
>
>
> Context 0:
>
> $ sudo cat /proc/sys/kernel/cap-bound
> 128
>
> $ /usr/sbin/getpcaps =
> Capabilities for `=': =i cap_setpcap-i
>
> $ cat /proc/self/status |grep Cap
> CapInh: 00000000fffffeff
> CapPrm: 0000000000000000
> CapEff: 0000000000000000
>
> $ sudo cat /proc/self/status |grep Cap
> CapInh: 00000000fffffeff
> CapPrm: 00000000fffffeff
> CapEff: 00000000fffffeff
>
> $ /usr/sbin/execcap " = cap_setuid,cap_setgid+i "
/usr/sbin/getpcaps = Capabilities for `=': = > cap_setgid,cap_setuid+i
>
> $ /usr/sbin/execcap " = cap_setuid,cap_setgid+i " cat
> /proc/self/status
> |grep Cap
> CapInh: 00000000000000c0
> CapPrm: 0000000000000000
> CapEff: 0000000000000000
>
> $ /usr/sbin/execcap " = cap_setuid,cap_setgid+i " sudo
> /usr/sbin/getpcaps = Capabilities for `=': = cap_setgid,cap_setuid+eip
>
> $ /usr/sbin/execcap " = cap_setuid,cap_setgid+i " sudo cat
> /proc/self/status |grep Cap
> CapInh: 00000000000000c0
> CapPrm: 00000000000000c0
> CapEff: 00000000000000c0
>
>
>
>
> Starting a vserver:
> # vserver test start
>
> vnamespace: vc_set_namespace(): Function not implemented
>
> An error occured while executing the vserver startup
> sequence; when there are no other messages, it is very likely
> that the init-script (/etc/rc.d/rc 3) failed.
>
> Common causes are:
> * /etc/rc.d/rc on Fedora Core 1 and RH9 fails always; the
> 'apt-rpm' build
> method knows how to deal with this, but on existing installations,
> appending 'true' to this file will help.
>
>
> Failed to start vserver 'test'
>
> Want to know why? It's because my cap-bound excludes
> CAP_CONTEXT, and the chcontext() call is intersecting with
> cap-bound. Thus, the vserver process is left with setuid
> only. (cap-bound is 128)
>
> Filtering on bcapabilities instead makes things work right.
>
> Do you have another solution?
>
> Joe
>
Received on Fri Jun 20 15:23:56 2008