Re: Odd interaction with file capabilities and procfs files

From: "Daniel Xu" <dxu@dxuuu.xyz>
To: "Christian Brauner" <brauner@kernel.org>
Cc: viro@zeniv.linux.org.uk, linux-fsdevel@vger.kernel.org,
	linux-kernel@vger.kernel.org
Subject: Re: Odd interaction with file capabilities and procfs files
Date: Wed, 19 Oct 2022 15:42:42 -0600	[thread overview]
Message-ID: <6ddd00bd-87d9-484e-8f2a-06f15a75a4df@app.fastmail.com> (raw)
In-Reply-To: <20221019132201.kd35firo6ks6ph4j@wittgenstein>

Hi Christian,

On Wed, Oct 19, 2022, at 7:22 AM, Christian Brauner wrote:
> On Tue, Oct 18, 2022 at 06:42:04PM -0600, Daniel Xu wrote:
>> Hi,
>> 
>> (Going off get_maintainers.pl for fs/namei.c here)
>> 
>> I'm seeing some weird interactions with file capabilities and S_IRUSR
>> procfs files. Best I can tell it doesn't occur with real files on my btrfs
>> home partition.
>> 
>> Test program:
>> 
>>         #include <fcntl.h>
>>         #include <stdio.h>
>>         
>>         int main()
>>         {
>>                 int fd = open("/proc/self/auxv", O_RDONLY);
>>                 if (fd < 0) {
>>                         perror("open");
>>                         return 1;
>>                 }
>>        
>>                 printf("ok\n");
>>                 return 0;
>>         }
>> 
>> Steps to reproduce:
>> 
>>         $ gcc main.c
>>         $ ./a.out
>>         ok
>>         $ sudo setcap "cap_net_admin,cap_sys_admin+p" a.out
>>         $ ./a.out
>>         open: Permission denied
>> 
>> It's not obvious why this happens, even after spending a few hours
>> going through the standard documentation and kernel code. It's
>> intuitively odd b/c you'd think adding capabilities to the permitted
>> set wouldn't affect functionality.
>> 
>> Best I could tell the -EACCES error occurs in the fallthrough codepath
>> inside generic_permission().
>> 
>> Sorry if this is something dumb or obvious.
>
> Hey Daniel,
>
> No, this is neither dumb nor obvious. :)
>
> Basically, if you set fscaps then /proc/self/auxv will be owned by
> root:root. You can verify this:
>
> #include <fcntl.h>
> #include <sys/types.h>
> #include <sys/stat.h>
> #include <stdio.h>
> #include <errno.h>
> #include <unistd.h>
>
> int main()
> {
>         struct stat st;
>         printf("%d | %d\n", getuid(), geteuid());
>
>         if (stat("/proc/self/auxv", &st)) {
>                 fprintf(stderr, "stat: %d - %m\n", errno);
>                 return 1;
>         }
>         printf("stat: %d | %d\n", st.st_uid, st.st_gid);
>
>         int fd = open("/proc/self/auxv", O_RDONLY);
>         if (fd < 0) {
>                 fprintf(stderr, "open: %d - %m\n", errno);
>                 return 1;
>         }
>
>         printf("ok\n");
>         return 0;
> }
>
> $ ./a.out
> 1000 | 1000
> stat: 1000 | 1000
> ok
> $ sudo setcap "cap_net_admin,cap_sys_admin+p" a.out
> $ ./a.out
> 1000 | 1000
> stat: 0 | 0
> open: 13 - Permission denied
>
> So acl_permission_check() fails and returns -EACCESS which will cause
> generic_permission() to rely on capable_wrt_inode_uidgid() which checks
> for CAP_DAC_READ_SEARCH which you don't have as an unprivileged user.

Thanks for checking on this.

That does explain explain the weirdness but at the expense of another
question: why do fscaps cause /proc/self/auxv to be owned by root?
Is that the correct semantics? This also seems rather unexpected.

I'll take a look tonight and see if I can come up with any answers.

Thanks,
Daniel