Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

capability: can't raise ambient and drop bounding caps for other process #171

Closed
wants to merge 2 commits into from
Closed

capability: can't raise ambient and drop bounding caps for other process #171

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
9638323
capability: can't raise ambient and drop bounding caps for other process
lifubang Oct 11, 2024
f298c15
add test for apply bounding or ambient caps for other process
lifubang Oct 13, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions capability/capability.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,8 @@
// Package capability provides utilities for manipulating POSIX capabilities.
package capability

import "errors"

type Capabilities interface {
// Get check whether a capability present in the given
// capabilities set. The 'which' value should be one of EFFECTIVE,
Expand Down Expand Up @@ -61,6 +63,11 @@ type Capabilities interface {
Apply(kind CapType) error
}

var (
errBoundingNotMine = errors.New("not support drop bounding cap of other process")
errAmbientNotMine = errors.New("not support modify ambient cap of other process")
Comment on lines +67 to +68
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
errBoundingNotMine = errors.New("not support drop bounding cap of other process")
errAmbientNotMine = errors.New("not support modify ambient cap of other process")
errBoundingNotMine = errors.New("unable to modify bounding capabilities of another process")
errAmbientNotMine = errors.New("unable to modify ambient capabilities of another process")

)

// NewPid initializes a new [Capabilities] object for given pid when
// it is nonzero, or for the current process if pid is 0.
//
Expand Down
6 changes: 6 additions & 0 deletions capability/capability_linux.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -334,6 +334,9 @@ func (c *capsV3) Apply(kind CapType) (err error) {
}
if kind&BOUNDS == BOUNDS {
var data [2]capData
if c.hdr.pid != 0 {
return errBoundingNotMine
}
err = capget(&c.hdr, &data[0])
if err != nil {
return
Expand Down Expand Up @@ -364,6 +367,9 @@ func (c *capsV3) Apply(kind CapType) (err error) {
}

if kind&AMBS == AMBS {
if c.hdr.pid != 0 {
return errAmbientNotMine
}
err = prctl(pr_CAP_AMBIENT, pr_CAP_AMBIENT_CLEAR_ALL, 0, 0, 0)
if err != nil && err != syscall.EINVAL { //nolint:errorlint // Errors from syscall are bare.
// Ignore EINVAL as not supported on kernels before 4.3
Expand Down
43 changes: 40 additions & 3 deletions capability/capability_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,13 +2,13 @@
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.

package capability_test
package capability
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think I have added this comment already but it looks like it is lost.

I deliberately changed this in commit 7208f83 so these tests can change public API only, and I don't like changing it back.

You have a few options here:

  1. Just check for an error.
  2. export errors (as described in capability: can't raise ambient and drop bounding caps for other process #171 (comment)).
  3. create a different test file which will have package capability and thus would be able to test and access internals.

I would prefer way 2.


import (
"errors"
"os/exec"
"runtime"
"testing"

. "github.com/moby/sys/capability"
)

// Based on the fact Go 1.18+ supports Linux >= 2.6.32, and
Expand Down Expand Up @@ -151,3 +151,40 @@ func TestAmbientCapSet(t *testing.T) {
}
}
}

func TestApplyCapsForOtherProcess(t *testing.T) {
if runtime.GOOS != "linux" {
return
}
requirePCapSet(t)

cmd := exec.Command("sleep", "sleep", "infinity")
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this should be

Suggested change
cmd := exec.Command("sleep", "sleep", "infinity")
cmd := exec.Command("sleep", "infinity")

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The error went unnoticed because this test is not being run, because the previous test (TestAmbientCapSet) removes CAP_SET_PCAP from the test process. Oh well

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See here

if err := cmd.Start(); err != nil {
t.Fatal(err)
}
defer func() {
_ = cmd.Process.Kill()
_, _ = cmd.Process.Wait()
}()

pid, err := NewPid(cmd.Process.Pid)
if err != nil {
t.Fatal(err)
}

if err = pid.Load(); err != nil {
t.Fatal(err)
}
err = pid.Apply(BOUNDING)
if !errors.Is(err, errBoundingNotMine) {
t.Fatalf("expected not support error when drop bounding caps for other process, but got: %v", err)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
t.Fatalf("expected not support error when drop bounding caps for other process, but got: %v", err)
t.Fatalf("want error %v, got %v", errBoundingNotMine, err)

}
err = pid.Apply(CAPS)
if err != nil {
t.Fatal(err)
}
err = pid.Apply(AMBIENT)
if !errors.Is(err, errAmbientNotMine) {
t.Fatalf("expected not support error when rasing ambient caps for other process, but got: %v", err)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
t.Fatalf("expected not support error when rasing ambient caps for other process, but got: %v", err)
t.Fatalf("want error %v, got %v", errAmbientNotMine, err)

}
}