From bfc3956376128b9560926f6c122a49d809b4be97 Mon Sep 17 00:00:00 2001
From: Parnell Springmeyer <parnell@awakenetworks.com>
Date: Thu, 30 Jun 2016 18:59:32 -0500
Subject: [PATCH] security: adding setcap-wrapper functionality
---
nixos/modules/security/setcap-wrapper.c | 210 +++++++++++++++++++++
nixos/modules/security/setcap-wrappers.nix | 165 ++++++++++++++++
2 files changed, 375 insertions(+)
create mode 100644 nixos/modules/security/setcap-wrapper.c
create mode 100644 nixos/modules/security/setcap-wrappers.nix
diff --git a/nixos/modules/security/setcap-wrapper.c b/nixos/modules/security/setcap-wrapper.c
new file mode 100644
index 00000000000..a44d174d90f
--- /dev/null
+++ b/nixos/modules/security/setcap-wrapper.c
@@ -0,0 +1,210 @@
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <dirent.h>
+#include <assert.h>
+#include <errno.h>
+#include <linux/capability.h>
+#include <sys/capability.h>
+#include <linux/prctl.h>
+#include <sys/prctl.h>
+#include <cap-ng.h>
+
+// Make sure assertions are not compiled out, we use them to codify
+// invariants about this program and we want it to fail fast and
+// loudly if they are violated.
+#undef NDEBUG
+
+extern char **environ;
+
+// The SOURCE_PROG and WRAPPER_DIR macros are supplied at compile time
+// for a security reason: So they cannot be changed at runtime.
+static char * sourceProg = SOURCE_PROG;
+static char * wrapperDir = WRAPPER_DIR;
+
+// Update the capabilities of the running process to include the given
+// capability in the Ambient set.
+static void set_ambient_cap(cap_value_t cap)
+{
+ capng_get_caps_process();
+
+ if (capng_update(CAPNG_ADD, CAPNG_INHERITABLE, (unsigned long) cap))
+ {
+ printf("cannot raise the capability into the Inheritable set\n");
+ exit(1);
+ }
+
+ capng_apply(CAPNG_SELECT_CAPS);
+
+ if (prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, (unsigned long) cap, 0, 0))
+ {
+ perror("cannot raise the capability into the Ambient set\n");
+ exit(1);
+ }
+}
+
+// Given the path to this program, fetch its configured capability set
+// (as set by `setcap ... /path/to/file`) and raise those capabilities
+// into the Ambient set.
+static int make_caps_ambient(const char *selfPath)
+{
+ cap_t caps = cap_get_file(selfPath);
+
+ if(!caps)
+ {
+ fprintf(stderr, "could not retreive the capability set for this file\n");
+ return 1;
+ }
+
+ // We use `cap_to_text` and iteration over the tokenized result
+ // string because, as of libcap's current release, there is no
+ // facility for retrieving an array of `cap_value_t`'s that can be
+ // given to `prctl` in order to lift that capability into the
+ // Ambient set.
+ //
+ // Some discussion was had around shot-gunning all of the
+ // capabilities we know about into the Ambient set but that has a
+ // security smell and I deemed the risk of the current
+ // implementation crashing the program to be lower than the risk
+ // of a privilege escalation security hole being introduced by
+ // raising all capabilities, even ones we didn't intend for the
+ // program, into the Ambient set.
+ //
+ // `cap_t` which is returned by `cap_get_*` is an opaque type and
+ // even if we could retrieve the bitmasks (which, as far as I can
+ // tell we cannot) in order to get the `cap_value_t`
+ // representation for each capability we would have to take the
+ // total number of capabilities supported and iterate over the
+ // sequence of integers up-to that maximum total, testing each one
+ // against the bitmask ((bitmask >> n) & 1) to see if it's set and
+ // aggregating each "capability integer n" that is set in the
+ // bitmask.
+ //
+ // That, combined with the fact that we can't easily get the
+ // bitmask anyway seemed much more brittle than fetching the
+ // `cap_t`, transforming it into a textual representation,
+ // tokenizing the string, and using `cap_from_name` on the token
+ // to get the `cap_value_t` that we need for `prctl`. There is
+ // indeed risk involved if the output string format of
+ // `cap_to_text` ever changes but at this time the combination of
+ // factors involving the below list have led me to the conclusion
+ // that the best implementation at this time is reading then
+ // parsing with *lots of documentation* about why we're doing it
+ // this way.
+ //
+ // 1. No explicit API for fetching an array of `cap_value_t`'s or
+ // for transforming a `cap_t` into such a representation
+ // 2. The risk of a crash is lower than lifting all capabilities
+ // into the Ambient set
+ // 3. libcap is depended on heavily in the Linux ecosystem so
+ // there is a high chance that the output representation of
+ // `cap_to_text` will not change which reduces our risk that
+ // this parsing step will cause a crash
+ //
+ // The preferred method, should it ever be available in the
+ // future, would be to use libcap API's to transform the result
+ // from a `cap_get_*` into an array of `cap_value_t`'s that can
+ // then be given to prctl.
+ //
+ // - Parnell
+ ssize_t capLen;
+ char* capstr = cap_to_text(caps, &capLen);
+ cap_free(caps);
+
+ // TODO: For now, we assume that cap_to_text always starts its
+ // result string with " =" and that the first capability is listed
+ // immediately after that. We should verify this.
+ assert(capLen >= 2);
+ capstr += 2;
+
+ char* saveptr = NULL;
+ for(char* tok = strtok_r(capstr, ",", &saveptr); tok; tok = strtok_r(NULL, ",", &saveptr))
+ {
+ cap_value_t capnum;
+ if (cap_from_name(tok, &capnum))
+ {
+ fprintf(stderr, "cap_from_name failed, skipping: %s\n", tok);
+ }
+ else if (capnum == CAP_SETPCAP)
+ {
+ // Check for the cap_setpcap capability, we set this on the
+ // wrapper so it can elevate the capabilities to the Ambient
+ // set but we do not want to propagate it down into the
+ // wrapped program.
+ //
+ // TODO: what happens if that's the behavior you want
+ // though???? I'm preferring a strict vs. loose policy here.
+ fprintf(stderr, "cap_setpcap in set, skipping it\n");
+ }
+ else
+ {
+ set_ambient_cap(capnum);
+ printf("raised %s into the Ambient capability set\n", tok);
+ }
+ }
+ cap_free(capstr);
+
+ return 0;
+}
+
+int main(int argc, char * * argv)
+{
+ // I *think* it's safe to assume that a path from a symbolic link
+ // should safely fit within the PATH_MAX system limit. Though I'm
+ // not positive it's safe...
+ char selfPath[PATH_MAX];
+ int selfPathSize = readlink("/proc/self/exe", selfPath, sizeof(selfPath) - 1);
+
+ assert(selfPathSize > 0);
+
+ selfPath[selfPathSize] = '\0';
+
+ // Make sure that we are being executed from the right location,
+ // i.e., `safeWrapperDir'. This is to prevent someone from creating
+ // hard link `X' from some other location, along with a false
+ // `X.real' file, to allow arbitrary programs from being executed
+ // with elevated capabilities.
+ int len = strlen(wrapperDir);
+ if (len > 0 && '/' == wrapperDir[len - 1])
+ --len;
+ assert(!strncmp(selfPath, wrapperDir, len));
+ assert('/' == wrapperDir[0]);
+ assert('/' == selfPath[len]);
+
+ // Make *really* *really* sure that we were executed as
+ // `selfPath', and not, say, as some other setuid program. That
+ // is, our effective uid/gid should match the uid/gid of
+ // `selfPath'.
+ struct stat st;
+ assert(lstat(selfPath, &st) != -1);
+
+ assert(!(st.st_mode & S_ISUID) || (st.st_uid == geteuid()));
+ assert(!(st.st_mode & S_ISGID) || (st.st_gid == getegid()));
+
+ // And, of course, we shouldn't be writable.
+ assert(!(st.st_mode & (S_IWGRP | S_IWOTH)));
+
+ struct stat stR;
+ stat(sourceProg, &stR);
+
+ // Make sure the program we're wrapping is non-zero
+ assert(stR.st_size > 0);
+
+ // Read the capabilities set on the file and raise them in to the
+ // Ambient set so the program we're wrapping receives the
+ // capabilities too!
+ assert(!make_caps_ambient(selfPath));
+
+ execve(sourceProg, argv, environ);
+
+ fprintf(stderr, "%s: cannot run `%s': %s\n",
+ argv[0], sourceProg, strerror(errno));
+
+ exit(1);
+}
+
+
diff --git a/nixos/modules/security/setcap-wrappers.nix b/nixos/modules/security/setcap-wrappers.nix
new file mode 100644
index 00000000000..a9e3f8c0b1c
--- /dev/null
+++ b/nixos/modules/security/setcap-wrappers.nix
@@ -0,0 +1,165 @@
+{ config, lib, pkgs, ... }:
+
+with lib; with pkgs;
+
+let
+
+ inherit (config.security) setcapWrapperDir;
+
+ cfg = config.security.setcapCapabilities;
+
+ # Produce a shell-code splice intended to be stitched into one of
+ # the build or install phases within the `setcapWrapper` derivation.
+ mkSetcapWrapper = { program, source ? null, ...}:
+ ''
+ if ! source=${if source != null then source else "$(readlink -f $(PATH=$SETCAP_PATH type -tP ${program}))"}; then
+ # If we can't find the program, fall back to the
+ # system profile.
+ source=/nix/var/nix/profiles/default/bin/${program}
+ fi
+
+ gcc -Wall -O2 -DSOURCE_PROG=\"$source\" -DWRAPPER_DIR=\"${setcapWrapperDir}\" \
+ -lcap-ng -lcap ${./setcap-wrapper.c} -o $out/bin/${program}.wrapper
+ '';
+
+ setcapWrappers =
+
+ # This is only useful for Linux platforms and a kernel version of
+ # 4.3 or greater
+ assert pkgs.stdenv.isLinux;
+ assert versionAtLeast (getVersion config.boot.kernelPackages.kernel) "4.3";
+
+ pkgs.stdenv.mkDerivation {
+ name = "setcap-wrapper";
+ unpackPhase = "true";
+ buildInputs = [ linuxHeaders_4_4 libcap libcap_ng ];
+ installPhase = ''
+ mkdir -p $out/bin
+
+ # Concat together all of our shell splices to compile
+ # binary wrapper programs for all configured setcap programs.
+ ${concatMapStrings mkSetcapWrapper cfg}
+ '';
+ };
+in
+{
+ options = {
+ security.setcapCapabilities = mkOption {
+ type = types.listOf types.attrs;
+ default = [];
+ example =
+ [ { program = "sendmail";
+ source = "${pkgs.sendmail.bin}/bin/sendmail";
+ owner = "nobody";
+ group = "postdrop";
+ setcap = true;
+ capabilities = "cap_net_raw+ep";
+ }
+ ];
+ description = ''
+ This option sets capabilities on a wrapper program that
+ propagates those capabilities down to the wrapped, real
+ program.
+
+ The `program` attribute is the name of the program to be
+ wrapped. If no `source` attribute is provided, specifying the
+ absolute path to the program, then the program will be
+ searched for in the path environment variable.
+
+ NOTE: cap_setpcap, which is required for the wrapper program
+ to be able to raise caps into the Ambient set is NOT raised to
+ the Ambient set so that the real program cannot modify its own
+ capabilities!! This may be too restrictive for cases in which
+ the real program needs cap_setpcap but it at least leans on
+ the side security paranoid vs. too relaxed.
+
+ The attribute `setcap` defaults to false and it will create a
+ wrapper program but never set the capability set on it. This
+ is done so that you can remove a capability sent entirely from
+ a wrapper program without also needing to go change any
+ absolute paths that may be directly referencing the wrapper
+ program.
+ '';
+ };
+
+ security.setcapWrapperDir = mkOption {
+ type = types.path;
+ default = "/nix/var/setcap-wrappers";
+ internal = true;
+ description = ''
+ This option defines the path to the setcap wrappers. It
+ should generally not be overriden.
+ '';
+ };
+
+ };
+
+ config = {
+
+ # Make sure our setcap-wrapper dir exports to the PATH env
+ # variable when initializing the shell
+ environment.extraInit = ''
+ # The setcap wrappers override other bin directories.
+ export PATH="${config.security.setcapWrapperDir}:$PATH"
+ '';
+
+
+
+ system.activationScripts.setcap =
+ let
+ setcapPrograms = cfg;
+ configureSetcapWrapper =
+ { program
+ , capabilities
+ , source ? null
+ , owner ? "nobody"
+ , group ? "nogroup"
+ , setcap ? false
+ }:
+ ''
+ mkdir -p ${setcapWrapperDir}
+
+ cp ${setcapWrappers}/bin/${program}.wrapper ${setcapWrapperDir}/${program}
+
+ # Prevent races
+ chmod 0000 ${setcapWrapperDir}/${program}
+ chown ${owner}.${group} ${setcapWrapperDir}/${program}
+
+ # Set desired capabilities on the file plus cap_setpcap so
+ # the wrapper program can elevate the capabilities set on
+ # its file into the Ambient set.
+ #
+ # Only set the capabilities though if we're being told to
+ # do so.
+ ${
+ if setcap then
+ ''
+ ${libcap.out}/bin/setcap "cap_setpcap,${capabilities}" ${setcapWrapperDir}/${program}
+ ''
+ else ""
+ }
+
+ # Set the executable bit
+ chmod u+rx,g+x,o+x ${setcapWrapperDir}/${program}
+ '';
+
+ in stringAfter [ "users" ]
+ ''
+ # Look in the system path and in the default profile for
+ # programs to be wrapped.
+ SETCAP_PATH=${config.system.path}/bin:${config.system.path}/sbin
+
+ # When a program is removed from the security.setcapCapabilities
+ # list we have to remove all of the previous program wrappers
+ # and re-build them minus the wrapper for the program removed,
+ # hence the rm here in the activation script.
+
+ rm -f ${setcapWrapperDir}/*
+
+ # Concatenate the generated shell slices to configure
+ # wrappers for each program needing specialized capabilities.
+
+ ${concatMapStrings configureSetcapWrapper setcapPrograms}
+ '';
+ };
+}