Always use ambient capabilities if no new privileges set, not otherwise #1286
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
justincormack
force-pushed
the
ambient-rework
branch
from
9266c85 to
00077f7
Compare
justincormack
added a commit
to justincormack/runtime-spec
that referenced
this pull request
Jan 23, 2017
…lities Ambient capabilities are a feature, since Linux 4.3, that enables capabilities to be set on non root proesses directly. They are the only way to set these, so are desirable in the case of "no new privileges" where suid binaries or filesystem capabilities cannot be used as tis flag denies these operations, and therefore there is no other way to apply capabilities to non root processes. Without "no new privileges" users generally expect suid binaries or filesystem capabilities to be the way to grant capabilities to non root processes. See opencontainers/runc#1286 for the `runc` pull and detailed explanation of the security issues in offering a choice here. Signed-off-by: Justin Cormack <[email protected]>
|
Corresponding spec PR at opencontainers/runtime-spec#668 |
justincormack
changed the title
Currently we have a build flag to enable ambient capabilities. However this is not a good situation as it means different installations of runc may have significantly different behaviour, which can cause security issues. The reason we introduced this was because that enabling ambient capabilities at all times caused issues with some use cases. There are essentially two ways that capabilities are used, which can be characterised as - "modern" applications which want to grant capabilities directly to applictions, including when they run as a non root user - "traditional" which look more like a traditional Linux distro and wish to mediate capabilities for non root users via suid files or with filesystem capabilities. Granting ambient capabilities causes an issue with the second case as the capabilities are immediately granted to non root processes, rather than only being granted when suid files or files with capabilities are executed, for example `sudo`. This PR removes the build flag, so that all builds are the same. In order to accomodate both types of use case, it makes use of the fact that of the "no new privileges" flag is set in the config, then it is no longer possible for suid or filesystem capabilities to have any effect, so the second use case is not possible. So we only apply ambient capabilities if this is the case. So traditional applications that want to use suid binaries or fs caps should not set the no new privileges flag in the config, and there will be no change in behaviour. Applications that wish to run as a non root user, and grant cpabilities that may be directly used can set the no new provileges flag, and then they will be granted ambient privileges, if the kernel version supports them (since 4.3). Old kernel versions are uncapable of granting direct capabilities to non root processes. The changes that are required for applications using runc after this commit are: - if they were using the old "ambient" build flag, they should set "no new privileges" if they were not before. - programs using the build without ambient capabilities (such as Docker) can use this build. If run without no new capabilities, there will be no change, but with this flag they can grant capabiltiies directly to non root processes. They may wish to consider which capabilties are granted by default in this case; I will make changes to Docker for this. Having all builds have the same security setup is the only safe setup, at present it is easy for a user to accidentally use a build with a different flag setting, causing unexpected privileges to be granted. The setup as in this commit should give a sane setup for all kinds of use case with a single binary build. I will prepare a PR for the runtime specification that says this behaviour is correct. Signed-off-by: Justin Cormack <[email protected]>
justincormack
force-pushed
the
ambient-rework
branch
from
00077f7 to
78a6093
Compare
|
Docker PR moby/moby#30382 for testing this code. |
justincormack
added a commit
to justincormack/docker
that referenced
this pull request
Jan 24, 2017
This is a rework of support for ambient capabilities, to avoid the issues in the previous version, where there was a conflict between two use cases, programs that want to use sudo and programs that want to grant unprivileged users direct capabilities. If you do not use the `--security-opt no-new-privileges` flag, nothing changes with this patch. `sudo`, suid binaries and filesystem capabilities elevate privileges, and non root users can only use privileges via these mechanisms as on a normal Linux userspace. With the `no-new-privileges` flag, the kernel does not allow caps to be granted via suid binaries, so it is assumed that the user wants to be granted capabilities directly, so ambient capabilities are granted. For root this makes little difference, but for a normal user this means that they can be granted capabilities directly, so that privileged operations can be performed directly. As previously no capabilities were granted to a non root user with `no-new-privileges`, we take the opoprtunity to reduce the default capability set in this case to only the three safest capabilities: `CAP_KILL`, `CAP_AUDIT_WRITE` and `CAP_NET_SERVICE`. Other capabilities must be granted with `--cap-add`. `runc` commit is in opencontainers/runc#1286 Spec commit is in opencontainers/runtime-spec#668 fix moby#8460 Signed-off-by: Justin Cormack <[email protected]>
|
Closing until OCI spec resolved for capabilities |
|
Since opencontainers/runtime-spec#675 was merged, should discussion here be reopened? |
|
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Currently we have a build flag to enable ambient capabilities. However this
is not a good situation as it means different installations of runc may
have significantly different behaviour, which can cause security issues.
The reason we introduced this was because that enabling ambient capabilities
at all times caused issues with some use cases. There are essentially two
ways that capabilities are used, which can be characterised as
applictions, including when they run as a non root user
to mediate capabilities for non root users via suid files or with
filesystem capabilities.
Granting ambient capabilities causes an issue with the second case as the
capabilities are immediately granted to non root processes, rather than
only being granted when suid files or files with capabilities are executed,
for example
sudo.This PR removes the build flag, so that all builds are the same. In order
to accomodate both types of use case, it makes use of the fact that of the
"no new privileges" flag is set in the config, then it is no longer possible
for suid or filesystem capabilities to have any effect, so the second use
case is not possible. So we only apply ambient capabilities if this is the
case.
So traditional applications that want to use suid binaries or fs caps should
not set the no new privileges flag in the config, and there will be no change
in behaviour.
Applications that wish to run as a non root user, and grant cpabilities that
may be directly used can set the no new provileges flag, and then they
will be granted ambient privileges, if the kernel version supports them
(since 4.3). Old kernel versions are uncapable of granting direct capabilities
to non root processes.
The changes that are required for applications using runc after this commit
are:
privileges" if they were not before.
use this build. If run without no new capabilities, there will be no change,
but with this flag they can grant capabiltiies directly to non root
processes. They may wish to consider which capabilties are granted by
default in this case; I will make changes to Docker for this.
Having all builds have the same security setup is the only safe setup, at
present it is easy for a user to accidentally use a build with a different
flag setting, causing unexpected privileges to be granted. The setup as
in this commit should give a sane setup for all kinds of use case with a
single binary build. I will prepare a PR for the runtime specification
that says this behaviour is correct.
Signed-off-by: Justin Cormack [email protected]