From patchwork Wed Feb 15 16:15:21 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Jeff Layton <jlayton@samba.org>
X-Patchwork-Id: 9574389
Return-Path: <linux-cifs-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	5CB7960493 for <patchwork-cifs-client@patchwork.kernel.org>;
	Wed, 15 Feb 2017 16:15:37 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 4C7932846B
	for <patchwork-cifs-client@patchwork.kernel.org>;
	Wed, 15 Feb 2017 16:15:37 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 4009F28489; Wed, 15 Feb 2017 16:15:37 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.8 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	RCVD_IN_DNSWL_HI,T_DKIM_INVALID autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id AB8CB2846B
	for <patchwork-cifs-client@patchwork.kernel.org>;
	Wed, 15 Feb 2017 16:15:36 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1752142AbdBOQPe (ORCPT
	<rfc822;patchwork-cifs-client@patchwork.kernel.org>);
	Wed, 15 Feb 2017 11:15:34 -0500
Received: from hr2.samba.org ([144.76.82.148]:34128 "EHLO hr2.samba.org"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1751599AbdBOQPe (ORCPT <rfc822;linux-cifs@vger.kernel.org>);
	Wed, 15 Feb 2017 11:15:34 -0500
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=samba.org;
	s=42627210; h=Message-Id:Date:Cc:To:From;
	bh=P+dxOXxCvGS0j2w2HWRSV88udRm7DfNw2zA7/338uWg=;
	b=s7tRWKliXT1+E7OVHdezG3J/Q9
	8lKx1lY2W1b2y5g5PTHMQByRK+JY59HLJXs46xfu8U804s1n4VNHD/q0tjSCyY9Pvm1/CuaXi96v8
	/jOdZg4pFkis2sEFirCQqsQ4UOCe+dYvZ9lwqSHh6c7PYSPoZseonj11QhLBu6oSAteE=;
Received: from [127.0.0.2] (localhost [127.0.0.1])
	by hr2.samba.org with esmtpsa
	(TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim)
	id 1ce2Ez-0006hm-42; Wed, 15 Feb 2017 16:15:37 +0000
From: Jeff Layton <jlayton@samba.org>
To: linux-cifs@vger.kernel.org, samba-technical@lists.samba.org
Cc: cwseys@physics.wisc.edu, simo@redhat.com, samba@lists.samba.org
Subject: [cifs-utils PATCH v4 3/4] cifs.upcall: drop capabilities early in
	program
Date: Wed, 15 Feb 2017 11:15:21 -0500
Message-Id: <20170215161522.17063-4-jlayton@samba.org>
X-Mailer: git-send-email 2.9.3
In-Reply-To: <20170215161522.17063-1-jlayton@samba.org>
References: <20170215161522.17063-1-jlayton@samba.org>
Sender: linux-cifs-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-cifs.vger.kernel.org>
X-Mailing-List: linux-cifs@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

Much of cifs.upcall can and should be run without elevated privileges.
On entry into the program, drop as many capabilities as we can get away
with, and then always drop any remaining caps after calling setuid().

Signed-off-by: Jeff Layton <jlayton@samba.org>
---
 Makefile.am   |  2 +-
 cifs.upcall.c | 63 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 64 insertions(+), 1 deletion(-)

diff --git a/Makefile.am b/Makefile.am
index 2e99e601049a..4823b6381082 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -16,7 +16,7 @@ clean-local: clean-local-upcall clean-local-idmap clean-local-cifsacl
 if CONFIG_CIFSUPCALL
 sbin_PROGRAMS += cifs.upcall
 cifs_upcall_SOURCES = cifs.upcall.c data_blob.c asn1.c spnego.c
-cifs_upcall_LDADD = -ltalloc -lkeyutils $(KRB5_LDADD)
+cifs_upcall_LDADD = -ltalloc -lkeyutils $(KRB5_LDADD) $(CAPNG_LDADD)
 man_MANS += cifs.upcall.8
 
 #
diff --git a/cifs.upcall.c b/cifs.upcall.c
index 2b535a133a30..25af0fb6957b 100644
--- a/cifs.upcall.c
+++ b/cifs.upcall.c
@@ -54,6 +54,10 @@
 #include "spnego.h"
 #include "cifs_spnego.h"
 
+#ifdef HAVE_LIBCAP_NG
+#include <cap-ng.h>
+#endif
+
 static krb5_context	context;
 static const char	*prog = "cifs.upcall";
 
@@ -63,6 +67,58 @@ typedef enum _sectype {
 	MS_KRB5
 } sectype_t;
 
+#ifdef HAVE_LIBCAP_NG
+static int
+trim_capabilities(bool need_ptrace)
+{
+	capng_clear(CAPNG_SELECT_BOTH);
+
+	/*
+	 * Need ptrace for environment scraping, and setuid to change uid
+	 */
+	if (capng_updatev(CAPNG_ADD, CAPNG_PERMITTED|CAPNG_EFFECTIVE,
+			CAP_SETUID, CAP_SETGID, CAP_DAC_OVERRIDE, -1)) {
+		syslog(LOG_ERR, "%s: Unable to update capability set: %m\n", __func__);
+		return 1;
+	}
+
+	if (need_ptrace &&
+	    capng_update(CAPNG_ADD, CAPNG_PERMITTED|CAPNG_EFFECTIVE, CAP_SYS_PTRACE)) {
+		syslog(LOG_ERR, "%s: Unable to update capability set: %m\n", __func__);
+		return 1;
+	}
+
+	if (capng_apply(CAPNG_SELECT_BOTH)) {
+		syslog(LOG_ERR, "%s: Unable to apply capability set: %m\n", __func__);
+		return 1;
+	}
+	return 0;
+}
+
+static int
+drop_all_capabilities(void)
+{
+	capng_clear(CAPNG_SELECT_BOTH);
+	if (capng_apply(CAPNG_SELECT_BOTH)) {
+		syslog(LOG_ERR, "%s: Unable to apply capability set: %m\n", __func__);
+		return 1;
+	}
+	return 0;
+}
+#else /* HAVE_LIBCAP_NG */
+static int
+trim_capabilities(void)
+{
+	return 0;
+}
+
+static int
+drop_all_capabilities(void)
+{
+	return 0;
+}
+#endif /* HAVE_LIBCAP_NG */
+
 /*
  * smb_krb5_principal_get_realm
  *
@@ -733,6 +789,9 @@ int main(const int argc, char *const argv[])
 		}
 	}
 
+	if (trim_capabilities(false))
+		goto out;
+
 	/* is there a key? */
 	if (argc <= optind) {
 		usage();
@@ -837,6 +896,10 @@ int main(const int argc, char *const argv[])
 		goto out;
 	}
 
+	rc = drop_all_capabilities();
+	if (rc)
+		goto out;
+
 	rc = krb5_init_context(&context);
 	if (rc) {
 		syslog(LOG_ERR, "unable to init krb5 context: %ld", rc);