[Devel] [PATCH RH7] ve: caps: ignore setting wrong caps with CAP_SETPCAP

Thu Jun 25 10:21:53 PDT 2015

It is temporary decision for docker sake as we donnot have e.g.
CAP_SYS_ADMIN, CAP_NET_ADMIN in PCS7CT and docker tries to set them.

Port diff-ve-caps-ignore-setting-wrong-caps-with-CAP_SETPCAP
  Author: Pavel Tikhomirov
  Email: ptikhomirov at parallels.com
  Subject: capset: ignore setting wrong caps with CAP_SETPCAP
  Date: Tue, 27 Jan 2015 11:52:43 +0300

  if someone in CT who has CAP_SETPCAP tries to set a capability and
  either kernel does not know about it or the CT does not have it -
  ignore it: don't set it and no error.

change: ignore all caps, not only those are not in bset

https://jira.sw.ru/browse/PSBM-33693
Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
---
 security/commoncap.c | 36 +++++++++++++++++++++++++++++-------
 1 file changed, 29 insertions(+), 7 deletions(-)

diff --git a/security/commoncap.c b/security/commoncap.c
index 829ffac..46e5dd3 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -248,30 +248,52 @@ int cap_capset(struct cred *new,
 	       const kernel_cap_t *inheritable,
 	       const kernel_cap_t *permitted)
 {
+	kernel_cap_t ve_effective = *effective;
+	kernel_cap_t ve_inheritable = *inheritable;
+	kernel_cap_t ve_permitted = *permitted;
+
+	if (!ve_is_super(get_exec_env())) {
+		if (cap_raised(old->cap_effective, CAP_SETPCAP)) {
+			/*
+			 * Ignore all not allowed caps in CT
+			 */
+			printk("Drop not allowed caps in CT. Docker? - Will fix when switch to user namespaces.\n");
+			if (cap_inh_is_capped())
+				ve_inheritable = cap_intersect(ve_inheritable,
+				                               cap_combine(old->cap_inheritable,
+				                                           old->cap_permitted))
+			ve_inheritable = cap_intersect(ve_inheritable,
+			                               cap_combine(old->cap_inheritable,
+			                                           old->cap_bset));
+			ve_permitted = cap_intersect(ve_permitted, old->cap_permitted);
+			ve_effective = cap_intersect(ve_effective, ve_permitted);
+		}
+	}
+
 	if (cap_inh_is_capped() &&
-	    !cap_issubset(*inheritable,
+	    !cap_issubset(ve_inheritable,
 			  cap_combine(old->cap_inheritable,
 				      old->cap_permitted)))
 		/* incapable of using this inheritable set */
 		return -EPERM;
 
-	if (!cap_issubset(*inheritable,
+	if (!cap_issubset(ve_inheritable,
 			  cap_combine(old->cap_inheritable,
 				      old->cap_bset)))
 		/* no new pI capabilities outside bounding set */
 		return -EPERM;
 
 	/* verify restrictions on target's new Permitted set */
-	if (!cap_issubset(*permitted, old->cap_permitted))
+	if (!cap_issubset(ve_permitted, old->cap_permitted))
 		return -EPERM;
 
 	/* verify the _new_Effective_ is a subset of the _new_Permitted_ */
-	if (!cap_issubset(*effective, *permitted))
+	if (!cap_issubset(ve_effective, ve_permitted))
 		return -EPERM;
 
-	new->cap_effective   = *effective;
-	new->cap_inheritable = *inheritable;
-	new->cap_permitted   = *permitted;
+	new->cap_effective   = ve_effective;
+	new->cap_inheritable = ve_inheritable;
+	new->cap_permitted   = ve_permitted;
 	return 0;
 }
 
-- 
1.9.3


