lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <e6t4ucjdrcitzneh2imygsaxyb2aasxfn2q2a4zh5yqdx3vold@kutwh5kwixva>
Date: Wed, 9 Aug 2023 11:26:36 +0200
From: Maximilian Bosch <maximilian@...sch.me>
To: netdev@...r.kernel.org
Subject: [PATCH iproute2-next] ip-vrf: recommend using CAP_BPF rather than
 CAP_SYS_ADMIN

The CAP_SYS_ADMIN capability allows far too much, to quote
`capabilities(7)`:

    Note: this capability is overloaded; see Notes to kernel developers, below.

In the case of `ip-vrf(8)` this is needed to load a BPF program.
According to the same section of the same man-page, using `CAP_BPF` is
preferred if that's the reason for `CAP_SYS_ADMIN`;

    perform  the  same BPF operations as are governed by CAP_BPF (but the latter, weaker capability is preferred for accessing
    that functionality).

Local testing revealed that `ip vrf exec` for an unprivileged user is
sufficient if the `CAP_BPF` capability is given rather than
`CAP_SYS_ADMIN`.

Since this was introduced in Linux 5.8, a note is left that on older
kernels `CAP_SYS_ADMIN` must be used instead.

Signed-off-by: Maximilian Bosch <maximilian@...sch.me>
---
 ip/ip.c           | 2 +-
 man/man8/ip-vrf.8 | 9 +++++----
 2 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/ip/ip.c b/ip/ip.c
index 8424736f..8c046ef1 100644
--- a/ip/ip.c
+++ b/ip/ip.c
@@ -175,7 +175,7 @@ int main(int argc, char **argv)
 	 * execv will drop them for the child command.
 	 * vrf exec requires:
 	 * - cap_dac_override to create the cgroup subdir in /sys
-	 * - cap_sys_admin to load the BPF program
+	 * - cap_bpf to load the BPF program
 	 * - cap_net_admin to set the socket into the cgroup
 	 */
 	if (argc < 3 || strcmp(argv[1], "vrf") != 0 ||
diff --git a/man/man8/ip-vrf.8 b/man/man8/ip-vrf.8
index c1c9b958..798a6808 100644
--- a/man/man8/ip-vrf.8
+++ b/man/man8/ip-vrf.8
@@ -66,10 +66,11 @@ the current shell is associated with another VRF (e.g, Management VRF).
 This command requires the system to be booted with cgroup v2 (e.g. with systemd,
 add systemd.unified_cgroup_hierarchy=1 to the kernel command line).
 
-This command also requires to be ran as root or with the CAP_SYS_ADMIN,
-CAP_NET_ADMIN and CAP_DAC_OVERRIDE capabilities. If built with libcap and if
-capabilities are added to the ip binary program via setcap, the program will
-drop them as the first thing when invoked, unless the command is vrf exec.
+This command also requires to be ran as root or with the CAP_BPF (or
+CAP_SYS_ADMIN on Linux <5.8), CAP_NET_ADMIN and CAP_DAC_OVERRIDE capabilities.
+If built with libcap and if capabilities are added to the ip binary program
+via setcap, the program will drop them as the first thing when invoked,
+unless the command is vrf exec.
 .br
 NOTE: capabilities will NOT be dropped if CAP_NET_ADMIN is set to INHERITABLE
 to avoid breaking programs with ambient capabilities that call ip.
-- 
2.40.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ