From 291f738f341a78f8c7974a7603d1a2eaa01ebacc Mon Sep 17 00:00:00 2001 From: Pavel Zhukov Date: Thu, 21 Feb 2019 10:30:28 +0100 Subject: [PATCH 11/21] Drop unnecessary capabilities Cc: pzhukov@redhat.com dhclient (#517649, #546765), dhcpd/dhcrelay (#699713) --- client/Makefile.am | 3 ++- client/dhclient-script.8 | 10 ++++++++++ client/dhclient.8 | 29 +++++++++++++++++++++++++++++ client/dhclient.c | 24 ++++++++++++++++++++++++ configure.ac | 35 +++++++++++++++++++++++++++++++++++ relay/Makefile.am | 3 ++- relay/dhcrelay.c | 29 +++++++++++++++++++++++++++++ 7 files changed, 131 insertions(+), 2 deletions(-) diff --git a/client/Makefile.am b/client/Makefile.am index d177159..0689185 100644 --- a/client/Makefile.am +++ b/client/Makefile.am @@ -17,6 +17,7 @@ dhclient_LDADD = ../common/libdhcp.@A@ ../omapip/libomapi.@A@ \ @BINDLIBIRSDIR@/libirs.@A@ \ @BINDLIBDNSDIR@/libdns.@A@ \ @BINDLIBISCCFGDIR@/libisccfg.@A@ \ - @BINDLIBISCDIR@/libisc.@A@ + @BINDLIBISCDIR@/libisc.@A@ \ + $(CAPNG_LDADD) man_MANS = dhclient.8 dhclient-script.8 dhclient.conf.5 dhclient.leases.5 EXTRA_DIST = $(man_MANS) diff --git a/client/dhclient-script.8 b/client/dhclient-script.8 index 0db5516..2eddb8f 100644 --- a/client/dhclient-script.8 +++ b/client/dhclient-script.8 @@ -243,6 +243,16 @@ repeatedly initialized to the values provided by one server, and then the other. Assuming the information provided by both servers is valid, this shouldn't cause any real problems, but it could be confusing. +.PP +Normally, if dhclient was compiled with libcap-ng support, +dhclient drops most capabilities immediately upon startup. +While more secure, this greatly restricts the additional actions that +hooks in dhclient-script can take. For example, any daemons that +dhclient-script starts or restarts will inherit the restricted +capabilities as well, which may interfere with their correct operation. +Thus, the +.BI \-nc +option can be used to prevent dhclient from dropping capabilities. .SH SEE ALSO dhclient(8), dhcpd(8), dhcrelay(8), dhclient.conf(5) and dhclient.leases(5). diff --git a/client/dhclient.8 b/client/dhclient.8 index 6d7fbdb..0145b9f 100644 --- a/client/dhclient.8 +++ b/client/dhclient.8 @@ -134,6 +134,9 @@ dhclient - Dynamic Host Configuration Protocol Client .B -w ] [ +.B -nc +] +[ .B -B ] [ @@ -328,6 +331,32 @@ not to exit when it doesn't find any such interfaces. The program can then be used to notify the client when a network interface has been added or removed, so that the client can attempt to configure an IP address on that interface. +.TP +.BI \-nc +Do not drop capabilities. + +Normally, if +.B dhclient +was compiled with libcap-ng support, +.B dhclient +drops most capabilities immediately upon startup. While more secure, +this greatly restricts the additional actions that hooks in +.B dhclient-script (8) +can take. (For example, any daemons that +.B dhclient-script (8) +starts or restarts will inherit the restricted capabilities as well, +which may interfere with their correct operation.) Thus, the +.BI \-nc +option can be used to prevent +.B dhclient +from dropping capabilities. + +The +.BI \-nc +option is ignored if +.B dhclient +was not compiled with libcap-ng support. + .TP .BI \-n Do not configure any interfaces. This is most likely to be useful in diff --git a/client/dhclient.c b/client/dhclient.c index a86ab9e..5d3f5bc 100644 --- a/client/dhclient.c +++ b/client/dhclient.c @@ -41,6 +41,10 @@ #include #include +#ifdef HAVE_LIBCAP_NG +#include +#endif + /* * Defined in stdio.h when _GNU_SOURCE is set, but we don't want to define * that when building ISC code. @@ -266,6 +270,9 @@ main(int argc, char **argv) { int timeout_arg = 0; char *arg_conf = NULL; int arg_conf_len = 0; +#ifdef HAVE_LIBCAP_NG + int keep_capabilities = 0; +#endif /* Initialize client globals. */ memset(&default_duid, 0, sizeof(default_duid)); @@ -665,6 +672,10 @@ main(int argc, char **argv) { dhclient_request_options = argv[i]; + } else if (!strcmp(argv[i], "-nc")) { +#ifdef HAVE_LIBCAP_NG + keep_capabilities = 1; +#endif } else if (argv[i][0] == '-') { usage("Unknown command: %s", argv[i]); } else if (interfaces_requested < 0) { @@ -725,6 +736,19 @@ main(int argc, char **argv) { path_dhclient_script = s; } +#ifdef HAVE_LIBCAP_NG + /* Drop capabilities */ + if (!keep_capabilities) { + capng_clear(CAPNG_SELECT_CAPS); + capng_update(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED, + CAP_DAC_OVERRIDE); // Drop this someday + capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED, + CAP_NET_ADMIN, CAP_NET_RAW, + CAP_NET_BIND_SERVICE, CAP_SYS_ADMIN, -1); + capng_apply(CAPNG_SELECT_CAPS); + } +#endif + /* Set up the initial dhcp option universe. */ initialize_common_option_spaces(); diff --git a/configure.ac b/configure.ac index a797438..15fc0d7 100644 --- a/configure.ac +++ b/configure.ac @@ -612,6 +612,41 @@ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[]], [[void foo() __attribute__((noreturn)); # Look for optional headers. AC_CHECK_HEADERS(sys/socket.h net/if_dl.h net/if6.h regex.h) +# look for capabilities library +AC_ARG_WITH(libcap-ng, + [ --with-libcap-ng=[auto/yes/no] Add Libcap-ng support [default=auto]],, + with_libcap_ng=auto) + +# Check for Libcap-ng API +# +# libcap-ng detection +if test x$with_libcap_ng = xno ; then + have_libcap_ng=no; +else + # Start by checking for header file + AC_CHECK_HEADER(cap-ng.h, capng_headers=yes, capng_headers=no) + + # See if we have libcap-ng library + AC_CHECK_LIB(cap-ng, capng_clear, + CAPNG_LDADD=-lcap-ng,) + + # Check results are usable + if test x$with_libcap_ng = xyes -a x$CAPNG_LDADD = x ; then + AC_MSG_ERROR(libcap-ng support was requested and the library was not found) + fi + if test x$CAPNG_LDADD != x -a $capng_headers = no ; then + AC_MSG_ERROR(libcap-ng libraries found but headers are missing) + fi +fi +AC_SUBST(CAPNG_LDADD) +AC_MSG_CHECKING(whether to use libcap-ng) +if test x$CAPNG_LDADD != x ; then + AC_DEFINE(HAVE_LIBCAP_NG,1,[libcap-ng support]) + AC_MSG_RESULT(yes) +else + AC_MSG_RESULT(no) +fi + # Solaris needs some libraries for functions AC_SEARCH_LIBS(socket, [socket]) AC_SEARCH_LIBS(inet_ntoa, [nsl]) diff --git a/relay/Makefile.am b/relay/Makefile.am index 2ba5979..8900e0b 100644 --- a/relay/Makefile.am +++ b/relay/Makefile.am @@ -6,7 +6,8 @@ dhcrelay_LDADD = ../common/libdhcp.@A@ ../omapip/libomapi.@A@ \ @BINDLIBIRSDIR@/libirs.@A@ \ @BINDLIBDNSDIR@/libdns.@A@ \ @BINDLIBISCCFGDIR@/libisccfg.@A@ \ - @BINDLIBISCDIR@/libisc.@A@ + @BINDLIBISCDIR@/libisc.@A@ \ + $(CAPNG_LDADD) man_MANS = dhcrelay.8 EXTRA_DIST = $(man_MANS) diff --git a/relay/dhcrelay.c b/relay/dhcrelay.c index ea1be18..7b4f4f1 100644 --- a/relay/dhcrelay.c +++ b/relay/dhcrelay.c @@ -32,6 +32,11 @@ #include #include +#ifdef HAVE_LIBCAP_NG +# include + int keep_capabilities = 0; +#endif + TIME default_lease_time = 43200; /* 12 hours... */ TIME max_lease_time = 86400; /* 24 hours... */ struct tree_cache *global_options[256]; @@ -590,6 +595,10 @@ main(int argc, char **argv) { if (++i == argc) usage(use_noarg, argv[i-1]); dhcrelay_sub_id = argv[i]; +#endif + } else if (!strcmp(argv[i], "-nc")) { +#ifdef HAVE_LIBCAP_NG + keep_capabilities = 1; #endif } else if (!strcmp(argv[i], "-pf")) { if (++i == argc) @@ -660,6 +669,17 @@ main(int argc, char **argv) { #endif } +#ifdef HAVE_LIBCAP_NG + /* Drop capabilities */ + if (!keep_capabilities) { + capng_clear(CAPNG_SELECT_BOTH); + capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED, + CAP_NET_RAW, CAP_NET_BIND_SERVICE, -1); + capng_apply(CAPNG_SELECT_BOTH); + log_info ("Dropped all unnecessary capabilities."); + } +#endif + if (!quiet) { log_info("%s %s", message, PACKAGE_VERSION); log_info(copyright); @@ -816,6 +836,15 @@ main(int argc, char **argv) { signal(SIGTERM, dhcp_signal_handler); /* kill */ #endif +#ifdef HAVE_LIBCAP_NG + /* Drop all capabilities */ + if (!keep_capabilities) { + capng_clear(CAPNG_SELECT_BOTH); + capng_apply(CAPNG_SELECT_BOTH); + log_info ("Dropped all capabilities."); + } +#endif + /* Start dispatching packets and timeouts... */ dispatch(); -- 2.14.5