From 96383234d5302f59ee93da63c4c592d8ce8639d4 Mon Sep 17 00:00:00 2001 From: lfbzhm Date: Fri, 11 Oct 2024 15:23:32 +0000 Subject: [PATCH 1/2] capability: can't raise ambient and drop bounding caps for other process Signed-off-by: lfbzhm --- capability/capability.go | 7 +++++++ capability/capability_linux.go | 6 ++++++ 2 files changed, 13 insertions(+) diff --git a/capability/capability.go b/capability/capability.go index 1b36f5f..b20c8a8 100644 --- a/capability/capability.go +++ b/capability/capability.go @@ -8,6 +8,8 @@ // Package capability provides utilities for manipulating POSIX capabilities. package capability +import "errors" + type Capabilities interface { // Get check whether a capability present in the given // capabilities set. The 'which' value should be one of EFFECTIVE, @@ -61,6 +63,11 @@ type Capabilities interface { Apply(kind CapType) error } +var ( + errBoundingNotMine = errors.New("not support drop bounding cap of other process") + errAmbientNotMine = errors.New("not support modify ambient cap of other process") +) + // NewPid initializes a new [Capabilities] object for given pid when // it is nonzero, or for the current process if pid is 0. // diff --git a/capability/capability_linux.go b/capability/capability_linux.go index 0732195..b4c4928 100644 --- a/capability/capability_linux.go +++ b/capability/capability_linux.go @@ -334,6 +334,9 @@ func (c *capsV3) Apply(kind CapType) (err error) { } if kind&BOUNDS == BOUNDS { var data [2]capData + if c.hdr.pid != 0 { + return errBoundingNotMine + } err = capget(&c.hdr, &data[0]) if err != nil { return @@ -364,6 +367,9 @@ func (c *capsV3) Apply(kind CapType) (err error) { } if kind&AMBS == AMBS { + if c.hdr.pid != 0 { + return errAmbientNotMine + } err = prctl(pr_CAP_AMBIENT, pr_CAP_AMBIENT_CLEAR_ALL, 0, 0, 0) if err != nil && err != syscall.EINVAL { //nolint:errorlint // Errors from syscall are bare. // Ignore EINVAL as not supported on kernels before 4.3 From f298c15ab503137e9e31bbb23dce96f0bdb1cd3d Mon Sep 17 00:00:00 2001 From: lifubang Date: Sun, 13 Oct 2024 17:17:35 +0800 Subject: [PATCH 2/2] add test for apply bounding or ambient caps for other process Signed-off-by: lifubang --- capability/capability_test.go | 43 ++++++++++++++++++++++++++++++++--- 1 file changed, 40 insertions(+), 3 deletions(-) diff --git a/capability/capability_test.go b/capability/capability_test.go index 81b27e5..6e55b3d 100644 --- a/capability/capability_test.go +++ b/capability/capability_test.go @@ -2,13 +2,13 @@ // Use of this source code is governed by a BSD-style // license that can be found in the LICENSE file. -package capability_test +package capability import ( + "errors" + "os/exec" "runtime" "testing" - - . "github.com/moby/sys/capability" ) // Based on the fact Go 1.18+ supports Linux >= 2.6.32, and @@ -151,3 +151,40 @@ func TestAmbientCapSet(t *testing.T) { } } } + +func TestApplyCapsForOtherProcess(t *testing.T) { + if runtime.GOOS != "linux" { + return + } + requirePCapSet(t) + + cmd := exec.Command("sleep", "sleep", "infinity") + if err := cmd.Start(); err != nil { + t.Fatal(err) + } + defer func() { + _ = cmd.Process.Kill() + _, _ = cmd.Process.Wait() + }() + + pid, err := NewPid(cmd.Process.Pid) + if err != nil { + t.Fatal(err) + } + + if err = pid.Load(); err != nil { + t.Fatal(err) + } + err = pid.Apply(BOUNDING) + if !errors.Is(err, errBoundingNotMine) { + t.Fatalf("expected not support error when drop bounding caps for other process, but got: %v", err) + } + err = pid.Apply(CAPS) + if err != nil { + t.Fatal(err) + } + err = pid.Apply(AMBIENT) + if !errors.Is(err, errAmbientNotMine) { + t.Fatalf("expected not support error when rasing ambient caps for other process, but got: %v", err) + } +}