State when the runtime should and must not apply Linux ambient capabities #668
Conversation
…lities Ambient capabilities are a feature, since Linux 4.3, that enables capabilities to be set on non root proesses directly. They are the only way to set these, so are desirable in the case of "no new privileges" where suid binaries or filesystem capabilities cannot be used as tis flag denies these operations, and therefore there is no other way to apply capabilities to non root processes. Without "no new privileges" users generally expect suid binaries or filesystem capabilities to be the way to grant capabilities to non root processes. See opencontainers/runc#1286 for the `runc` pull and detailed explanation of the security issues in offering a choice here. Signed-off-by: Justin Cormack <[email protected]>
|
Related to this topic, I think that in the pre-existing wording the More generally, this field can be read both as some upper limit that a process is allowed to reach (ie. focused on the bounding set) or as starting privileges that the process will already have (ie. focused on the ambient/effective set). This PR seems to go in the latter direction, so I think it's the right time to clarify the semantics. |
|
@lucab yes that is a good point. It has always tried to do both, well at least |
|
I am happy to add those changes here, and retitle this "clarify the capabilities spec"... |
|
@justincormack WDYT of adding a separate boolean for ambient capabilities? That way the config generator has the option to do what it wants rather than tying this to noNewPrivileges? |
|
@mrunalp yes that is an option, but I do think this version should cover all the use cases, without complicating the spec. If you set NNP you must want ambient applied (well, at least if you choose a non root user, it makes no real difference in the root case) because otherwise you dont actually get the capabilities you asked for and have no way to get them under any circumstance, so it definitely makes sense here. If you don't have NNP set, you are implying that you may want to raise capabilities, but if you set ambient caps you dont need to raise privs as you already have them. So: It is true that the NNP flag has some other effects (unpriv seccomp) but I don't think they affect this much. For capability aware software, the nnp+ambient setting makes the most sense, and I would try to encourage people to use it - we have a PR for docker to have a daemon setting to make it the default now moby/moby#29984 and I am just working on a PR to go in conjunction with the For people running applications that use If we were to add a flag, I would set it to the same as NNP in Docker, as it is too confusing to have another option, and explain what ambient caps are. We cannot change the way |
|
@mrunalp another option is to simply expose the four capabilities sets in Linux, and make the user specify exactly what they want, but no one has asked for this, and it is very complex. |
This is a rework of support for ambient capabilities, to avoid the issues in the previous version, where there was a conflict between two use cases, programs that want to use sudo and programs that want to grant unprivileged users direct capabilities. If you do not use the `--security-opt no-new-privileges` flag, nothing changes with this patch. `sudo`, suid binaries and filesystem capabilities elevate privileges, and non root users can only use privileges via these mechanisms as on a normal Linux userspace. With the `no-new-privileges` flag, the kernel does not allow caps to be granted via suid binaries, so it is assumed that the user wants to be granted capabilities directly, so ambient capabilities are granted. For root this makes little difference, but for a normal user this means that they can be granted capabilities directly, so that privileged operations can be performed directly. As previously no capabilities were granted to a non root user with `no-new-privileges`, we take the opoprtunity to reduce the default capability set in this case to only the three safest capabilities: `CAP_KILL`, `CAP_AUDIT_WRITE` and `CAP_NET_SERVICE`. Other capabilities must be granted with `--cap-add`. `runc` commit is in opencontainers/runc#1286 Spec commit is in opencontainers/runtime-spec#668 fix moby#8460 Signed-off-by: Justin Cormack <[email protected]>
|
As you seem to be still in brainstorming mode, another idea is to follow the split you described in your other PR (modern vs traditional apps) and having two sets to describe:
This won't break backward compatibility (the first set is the one already in this spec, without runc build tag) and will allow for some more flexibility at the low level (eg. mixing NNP=0 and still having a defined upper bound and optional starting caps as well). The only invariant is that the first set must be a superset of the second set. |
|
@lucab if NNP is defined it is not that much use the initial process having a broader bounding set than current set, as if it has With the non NNP mode, well you would just use fscaps, and make the initial process non root. There has never been a call for splitting up and making the caps more complicated, and I think it is because there is really no reason to. |
|
Its @lucab and not lucan (me) ;) |
|
I don't really like tying up
But it isn't pointless. If you're running a root process that then switches UID/GID and then executes another process, then this change will mean that the new process now has the full capability set. I do agree that the usual case is "pointless" with an unprivileged user, but actually you could implement this in several ways that makes it not pointless (not that I'm suggesting you should implement it by overwriting the process's code with I understand why you'd want to do this, but |
|
@cyphar yes I guess that the NNP, root, ambient case is potentially a bit confusing for a program that expects to be able to drop caps by just changing uid. The POSIX capabilities don't exist in any meaningful sense - POSIX dropped the spec and the only similar implementation is the Linux one. |
|
We discussed this on the OCI call today and we think that having a separate boolean for ambient caps would be preferable. |
|
@mrunalp hmm, but the ambient capability set can also only be a subset of the process' bounding set right ? In that case specifying only a boolean feels restrictive. Maybe adopting current systemd configuration i.e. 1 list for bounding set, 1 list for ambient also works here ? |
|
Yes a boolean for ambient does seem to only cover some use cases. eg you
might want to grant everyone CAP_NET_BIND_SERVICE ambient at all times,
because you do not consider it a security issue, while still granting some
non ambient caps. Two lists is more flexible.
…On Wed, Feb 1, 2017 at 11:04 PM, Daniel, Dao Quang Minh < ***@***.***> wrote:
@mrunalp <https://github.com/mrunalp> hmm, but the ambient capability set
can also only be a subset of the process' bounding set right ? In that case
specifying only a boolean feels restrictive. Maybe adopting current systemd
configuration i.e. 1 list for bounding set, 1 list for ambient also works
here ?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#668 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAdcPEGoNe-i04smmn7RCTLhV0qIiN3lks5rYQ97gaJpZM4LrLpJ>
.
|
|
So we should have this then? {
"capabilities" : [],
"ambient_capabilities": []
} |
|
@crosbymichael it is more logical to have but obviously that is less backward compatible. It is more forward compatible if we want to add the other two sets though. |
|
i'm fine changing it to something move obvious while we are still pre 1.0 if everyone else is good with it. its not like we haven't changed the types of things 1000 times |
Closes opencontainers#668 Signed-off-by: Michael Crosby <[email protected]>
Closes opencontainers#668 Signed-off-by: Michael Crosby <[email protected]>
Closes opencontainers#668 Signed-off-by: Michael Crosby <[email protected]>
Closes opencontainers#668 Signed-off-by: Michael Crosby <[email protected]>
Closes opencontainers#668 Signed-off-by: Michael Crosby <[email protected]>
Closes opencontainers#668 Signed-off-by: Michael Crosby <[email protected]>
|
Closing in favour of #675 |
Closes opencontainers#668 Signed-off-by: Michael Crosby <[email protected]>
Closes opencontainers#668 Signed-off-by: Michael Crosby <[email protected]>
Closes opencontainers#668 Signed-off-by: Michael Crosby <[email protected]>
Closes opencontainers#668 Signed-off-by: Michael Crosby <[email protected]>
Closes opencontainers#668 Signed-off-by: Michael Crosby <[email protected]>
Closes opencontainers#668 Signed-off-by: Michael Crosby <[email protected]>
Closes opencontainers#668 Signed-off-by: Michael Crosby <[email protected]>
Closes opencontainers#668 Signed-off-by: Michael Crosby <[email protected]>
Closes opencontainers#668 Signed-off-by: Michael Crosby <[email protected]>
Closes opencontainers#668 Signed-off-by: Michael Crosby <[email protected]>
Closes opencontainers#668 Signed-off-by: Michael Crosby <[email protected]>
Ambient capabilities are a feature, since Linux 4.3, that enables capabilities
to be set on non root proesses directly. They are the only way to set these,
so are desirable in the case of "no new privileges" where suid binaries or
filesystem capabilities cannot be used as tis flag denies these operations,
and therefore there is no other way to apply capabilities to non root processes.
Without "no new privileges" users generally expect suid binaries or
filesystem capabilities to be the way to grant capabilities to non
root processes.
See opencontainers/runc#1286 for the
runcpulland detailed explanation of the security issues in offering a choice here.
Signed-off-by: Justin Cormack [email protected]