From bfc3956376128b9560926f6c122a49d809b4be97 Mon Sep 17 00:00:00 2001 From: Parnell Springmeyer Date: Thu, 30 Jun 2016 18:59:32 -0500 Subject: [PATCH] security: adding setcap-wrapper functionality --- nixos/modules/security/setcap-wrapper.c | 210 +++++++++++++++++++++ nixos/modules/security/setcap-wrappers.nix | 165 ++++++++++++++++ 2 files changed, 375 insertions(+) create mode 100644 nixos/modules/security/setcap-wrapper.c create mode 100644 nixos/modules/security/setcap-wrappers.nix diff --git a/nixos/modules/security/setcap-wrapper.c b/nixos/modules/security/setcap-wrapper.c new file mode 100644 index 00000000000..a44d174d90f --- /dev/null +++ b/nixos/modules/security/setcap-wrapper.c @@ -0,0 +1,210 @@ +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +// Make sure assertions are not compiled out, we use them to codify +// invariants about this program and we want it to fail fast and +// loudly if they are violated. +#undef NDEBUG + +extern char **environ; + +// The SOURCE_PROG and WRAPPER_DIR macros are supplied at compile time +// for a security reason: So they cannot be changed at runtime. +static char * sourceProg = SOURCE_PROG; +static char * wrapperDir = WRAPPER_DIR; + +// Update the capabilities of the running process to include the given +// capability in the Ambient set. +static void set_ambient_cap(cap_value_t cap) +{ + capng_get_caps_process(); + + if (capng_update(CAPNG_ADD, CAPNG_INHERITABLE, (unsigned long) cap)) + { + printf("cannot raise the capability into the Inheritable set\n"); + exit(1); + } + + capng_apply(CAPNG_SELECT_CAPS); + + if (prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, (unsigned long) cap, 0, 0)) + { + perror("cannot raise the capability into the Ambient set\n"); + exit(1); + } +} + +// Given the path to this program, fetch its configured capability set +// (as set by `setcap ... /path/to/file`) and raise those capabilities +// into the Ambient set. +static int make_caps_ambient(const char *selfPath) +{ + cap_t caps = cap_get_file(selfPath); + + if(!caps) + { + fprintf(stderr, "could not retreive the capability set for this file\n"); + return 1; + } + + // We use `cap_to_text` and iteration over the tokenized result + // string because, as of libcap's current release, there is no + // facility for retrieving an array of `cap_value_t`'s that can be + // given to `prctl` in order to lift that capability into the + // Ambient set. + // + // Some discussion was had around shot-gunning all of the + // capabilities we know about into the Ambient set but that has a + // security smell and I deemed the risk of the current + // implementation crashing the program to be lower than the risk + // of a privilege escalation security hole being introduced by + // raising all capabilities, even ones we didn't intend for the + // program, into the Ambient set. + // + // `cap_t` which is returned by `cap_get_*` is an opaque type and + // even if we could retrieve the bitmasks (which, as far as I can + // tell we cannot) in order to get the `cap_value_t` + // representation for each capability we would have to take the + // total number of capabilities supported and iterate over the + // sequence of integers up-to that maximum total, testing each one + // against the bitmask ((bitmask >> n) & 1) to see if it's set and + // aggregating each "capability integer n" that is set in the + // bitmask. + // + // That, combined with the fact that we can't easily get the + // bitmask anyway seemed much more brittle than fetching the + // `cap_t`, transforming it into a textual representation, + // tokenizing the string, and using `cap_from_name` on the token + // to get the `cap_value_t` that we need for `prctl`. There is + // indeed risk involved if the output string format of + // `cap_to_text` ever changes but at this time the combination of + // factors involving the below list have led me to the conclusion + // that the best implementation at this time is reading then + // parsing with *lots of documentation* about why we're doing it + // this way. + // + // 1. No explicit API for fetching an array of `cap_value_t`'s or + // for transforming a `cap_t` into such a representation + // 2. The risk of a crash is lower than lifting all capabilities + // into the Ambient set + // 3. libcap is depended on heavily in the Linux ecosystem so + // there is a high chance that the output representation of + // `cap_to_text` will not change which reduces our risk that + // this parsing step will cause a crash + // + // The preferred method, should it ever be available in the + // future, would be to use libcap API's to transform the result + // from a `cap_get_*` into an array of `cap_value_t`'s that can + // then be given to prctl. + // + // - Parnell + ssize_t capLen; + char* capstr = cap_to_text(caps, &capLen); + cap_free(caps); + + // TODO: For now, we assume that cap_to_text always starts its + // result string with " =" and that the first capability is listed + // immediately after that. We should verify this. + assert(capLen >= 2); + capstr += 2; + + char* saveptr = NULL; + for(char* tok = strtok_r(capstr, ",", &saveptr); tok; tok = strtok_r(NULL, ",", &saveptr)) + { + cap_value_t capnum; + if (cap_from_name(tok, &capnum)) + { + fprintf(stderr, "cap_from_name failed, skipping: %s\n", tok); + } + else if (capnum == CAP_SETPCAP) + { + // Check for the cap_setpcap capability, we set this on the + // wrapper so it can elevate the capabilities to the Ambient + // set but we do not want to propagate it down into the + // wrapped program. + // + // TODO: what happens if that's the behavior you want + // though???? I'm preferring a strict vs. loose policy here. + fprintf(stderr, "cap_setpcap in set, skipping it\n"); + } + else + { + set_ambient_cap(capnum); + printf("raised %s into the Ambient capability set\n", tok); + } + } + cap_free(capstr); + + return 0; +} + +int main(int argc, char * * argv) +{ + // I *think* it's safe to assume that a path from a symbolic link + // should safely fit within the PATH_MAX system limit. Though I'm + // not positive it's safe... + char selfPath[PATH_MAX]; + int selfPathSize = readlink("/proc/self/exe", selfPath, sizeof(selfPath) - 1); + + assert(selfPathSize > 0); + + selfPath[selfPathSize] = '\0'; + + // Make sure that we are being executed from the right location, + // i.e., `safeWrapperDir'. This is to prevent someone from creating + // hard link `X' from some other location, along with a false + // `X.real' file, to allow arbitrary programs from being executed + // with elevated capabilities. + int len = strlen(wrapperDir); + if (len > 0 && '/' == wrapperDir[len - 1]) + --len; + assert(!strncmp(selfPath, wrapperDir, len)); + assert('/' == wrapperDir[0]); + assert('/' == selfPath[len]); + + // Make *really* *really* sure that we were executed as + // `selfPath', and not, say, as some other setuid program. That + // is, our effective uid/gid should match the uid/gid of + // `selfPath'. + struct stat st; + assert(lstat(selfPath, &st) != -1); + + assert(!(st.st_mode & S_ISUID) || (st.st_uid == geteuid())); + assert(!(st.st_mode & S_ISGID) || (st.st_gid == getegid())); + + // And, of course, we shouldn't be writable. + assert(!(st.st_mode & (S_IWGRP | S_IWOTH))); + + struct stat stR; + stat(sourceProg, &stR); + + // Make sure the program we're wrapping is non-zero + assert(stR.st_size > 0); + + // Read the capabilities set on the file and raise them in to the + // Ambient set so the program we're wrapping receives the + // capabilities too! + assert(!make_caps_ambient(selfPath)); + + execve(sourceProg, argv, environ); + + fprintf(stderr, "%s: cannot run `%s': %s\n", + argv[0], sourceProg, strerror(errno)); + + exit(1); +} + + diff --git a/nixos/modules/security/setcap-wrappers.nix b/nixos/modules/security/setcap-wrappers.nix new file mode 100644 index 00000000000..a9e3f8c0b1c --- /dev/null +++ b/nixos/modules/security/setcap-wrappers.nix @@ -0,0 +1,165 @@ +{ config, lib, pkgs, ... }: + +with lib; with pkgs; + +let + + inherit (config.security) setcapWrapperDir; + + cfg = config.security.setcapCapabilities; + + # Produce a shell-code splice intended to be stitched into one of + # the build or install phases within the `setcapWrapper` derivation. + mkSetcapWrapper = { program, source ? null, ...}: + '' + if ! source=${if source != null then source else "$(readlink -f $(PATH=$SETCAP_PATH type -tP ${program}))"}; then + # If we can't find the program, fall back to the + # system profile. + source=/nix/var/nix/profiles/default/bin/${program} + fi + + gcc -Wall -O2 -DSOURCE_PROG=\"$source\" -DWRAPPER_DIR=\"${setcapWrapperDir}\" \ + -lcap-ng -lcap ${./setcap-wrapper.c} -o $out/bin/${program}.wrapper + ''; + + setcapWrappers = + + # This is only useful for Linux platforms and a kernel version of + # 4.3 or greater + assert pkgs.stdenv.isLinux; + assert versionAtLeast (getVersion config.boot.kernelPackages.kernel) "4.3"; + + pkgs.stdenv.mkDerivation { + name = "setcap-wrapper"; + unpackPhase = "true"; + buildInputs = [ linuxHeaders_4_4 libcap libcap_ng ]; + installPhase = '' + mkdir -p $out/bin + + # Concat together all of our shell splices to compile + # binary wrapper programs for all configured setcap programs. + ${concatMapStrings mkSetcapWrapper cfg} + ''; + }; +in +{ + options = { + security.setcapCapabilities = mkOption { + type = types.listOf types.attrs; + default = []; + example = + [ { program = "sendmail"; + source = "${pkgs.sendmail.bin}/bin/sendmail"; + owner = "nobody"; + group = "postdrop"; + setcap = true; + capabilities = "cap_net_raw+ep"; + } + ]; + description = '' + This option sets capabilities on a wrapper program that + propagates those capabilities down to the wrapped, real + program. + + The `program` attribute is the name of the program to be + wrapped. If no `source` attribute is provided, specifying the + absolute path to the program, then the program will be + searched for in the path environment variable. + + NOTE: cap_setpcap, which is required for the wrapper program + to be able to raise caps into the Ambient set is NOT raised to + the Ambient set so that the real program cannot modify its own + capabilities!! This may be too restrictive for cases in which + the real program needs cap_setpcap but it at least leans on + the side security paranoid vs. too relaxed. + + The attribute `setcap` defaults to false and it will create a + wrapper program but never set the capability set on it. This + is done so that you can remove a capability sent entirely from + a wrapper program without also needing to go change any + absolute paths that may be directly referencing the wrapper + program. + ''; + }; + + security.setcapWrapperDir = mkOption { + type = types.path; + default = "/nix/var/setcap-wrappers"; + internal = true; + description = '' + This option defines the path to the setcap wrappers. It + should generally not be overriden. + ''; + }; + + }; + + config = { + + # Make sure our setcap-wrapper dir exports to the PATH env + # variable when initializing the shell + environment.extraInit = '' + # The setcap wrappers override other bin directories. + export PATH="${config.security.setcapWrapperDir}:$PATH" + ''; + + + + system.activationScripts.setcap = + let + setcapPrograms = cfg; + configureSetcapWrapper = + { program + , capabilities + , source ? null + , owner ? "nobody" + , group ? "nogroup" + , setcap ? false + }: + '' + mkdir -p ${setcapWrapperDir} + + cp ${setcapWrappers}/bin/${program}.wrapper ${setcapWrapperDir}/${program} + + # Prevent races + chmod 0000 ${setcapWrapperDir}/${program} + chown ${owner}.${group} ${setcapWrapperDir}/${program} + + # Set desired capabilities on the file plus cap_setpcap so + # the wrapper program can elevate the capabilities set on + # its file into the Ambient set. + # + # Only set the capabilities though if we're being told to + # do so. + ${ + if setcap then + '' + ${libcap.out}/bin/setcap "cap_setpcap,${capabilities}" ${setcapWrapperDir}/${program} + '' + else "" + } + + # Set the executable bit + chmod u+rx,g+x,o+x ${setcapWrapperDir}/${program} + ''; + + in stringAfter [ "users" ] + '' + # Look in the system path and in the default profile for + # programs to be wrapped. + SETCAP_PATH=${config.system.path}/bin:${config.system.path}/sbin + + # When a program is removed from the security.setcapCapabilities + # list we have to remove all of the previous program wrappers + # and re-build them minus the wrapper for the program removed, + # hence the rm here in the activation script. + + rm -f ${setcapWrapperDir}/* + + # Concatenate the generated shell slices to configure + # wrappers for each program needing specialized capabilities. + + ${concatMapStrings configureSetcapWrapper setcapPrograms} + ''; + }; +}