Use vfs_cap_data and vfs_ns_cap_data structs defined in linux header.

This allows us to use the generated `Marshal/Unmarshal` functions and get rid
of the manual binary encoding/decoding.

Also fixed up vfs.VfsCapDataOf() to emulate Linux behavior more accurately.
It now returns linuxerr errors instead of fmt.Errorf()s, because in future
changes this code will be used on syscall paths.

PiperOrigin-RevId: 754101576

Author: ayushr2

pkg/abi/linux/capability.go

@@ -230,11 +230,9 @@ const (
 // Constants that are used by file capability extended attributes, defined
 // in Linux's include/uapi/linux/capability.h.
 const (
-	// The flag decides the value of effective file capabilit
+	// VFS_CAP_FLAGS_EFFECTIVE allows the effective capability set to be
+	// initialized with the permitted file capabilities.
 	VFS_CAP_FLAGS_EFFECTIVE = 0x000001
-	// VFS_CAP_REVISION_1 was the original file capability implementation,
-	// which supported 32-bit masks for file capabilities.
-	VFS_CAP_REVISION_1 = 0x01000000
 	// VFS_CAP_REVISION_2 allows for file capability masks that are 64
 	// bits in size, and was necessary as the number of supported
 	// capabilities grew beyond 32.
@@ -246,14 +244,41 @@ const (
 	// extended attribute.
 	VFS_CAP_REVISION_3    = 0x03000000
 	VFS_CAP_REVISION_MASK = 0xFF000000
-	// The encoded VFS_CAP_REVISION_1 data's number of bytes.
-	XATTR_CAPS_SZ_1 = 12
-	// The encoded VFS_CAP_REVISION_2 data's number of bytes.
+	// XATTR_CAPS_SZ_2 is sizeof(struct vfs_cap_data).
 	XATTR_CAPS_SZ_2 = 20
-	// The encoded VFS_CAP_REVISION_3 data's number of bytes.
+	// XATTR_CAPS_SZ_3 is sizeof(struct vfs_ns_cap_data).
 	XATTR_CAPS_SZ_3 = 24
 )
 
+// VfsCapData is equivalent to Linux's struct vfs_cap_data.
+//
+// +marshal
+type VfsCapData struct {
+	MagicEtc      uint32
+	PermittedLo   uint32
+	InheritableLo uint32
+	PermittedHi   uint32
+	InheritableHi uint32
+}
+
+// Permitted returns the permitted capability set.
+func (c *VfsCapData) Permitted() uint64 {
+	return uint64(c.PermittedHi)<<32 | uint64(c.PermittedLo)
+}
+
+// Inheritable returns the inheritable capability set.
+func (c *VfsCapData) Inheritable() uint64 {
+	return uint64(c.InheritableHi)<<32 | uint64(c.InheritableLo)
+}
+
+// VfsNsCapData is equivalent to Linux's struct vfs_ns_cap_data.
+//
+// +marshal
+type VfsNsCapData struct {
+	VfsCapData
+	RootID uint32
+}
+
 // CapUserHeader is equivalent to Linux's cap_user_header_t.
 //
 // +marshal

pkg/sentry/kernel/auth/capability_set.go

@@ -15,27 +15,16 @@
 package auth
 
 import (
-	"encoding/binary"
-	"fmt"
-
 	"gvisor.dev/gvisor/pkg/abi/linux"
 	"gvisor.dev/gvisor/pkg/bits"
 	"gvisor.dev/gvisor/pkg/errors/linuxerr"
+	"gvisor.dev/gvisor/pkg/log"
 )
 
 // A CapabilitySet is a set of capabilities implemented as a bitset. The zero
 // value of CapabilitySet is a set containing no capabilities.
 type CapabilitySet uint64
 
-// VfsCapData is equivalent to Linux's cpu_vfs_cap_data, defined
-// in Linux's include/linux/capability.h.
-type VfsCapData struct {
-	MagicEtc    uint32
-	RootID      uint32
-	Permitted   CapabilitySet
-	Inheritable CapabilitySet
-}
-
 // AllCapabilities is a CapabilitySet containing all valid capabilities.
 var AllCapabilities = CapabilitySetOf(linux.CAP_LAST_CAP+1) - 1
 
@@ -57,47 +46,40 @@ func CapabilitySetOfMany(cps []linux.Capability) CapabilitySet {
 // VfsCapDataOf returns a VfsCapData containing the file capabilities for the given slice of bytes.
 // For each field of the cap data, which are in the structure of either vfs_cap_data or vfs_ns_cap_data,
 // the bytes are ordered in little endian.
-func VfsCapDataOf(data []byte) (VfsCapData, error) {
-	var capData VfsCapData
+func VfsCapDataOf(data []byte) (linux.VfsNsCapData, error) {
 	size := len(data)
-	if size < linux.XATTR_CAPS_SZ_1 {
-		return capData, fmt.Errorf("the size of security.capability is too small, actual size: %v", size)
+	if size != linux.XATTR_CAPS_SZ_2 && size != linux.XATTR_CAPS_SZ_3 {
+		log.Warningf("the size of security.capability is invalid: size=%d", size)
+		return linux.VfsNsCapData{}, linuxerr.EINVAL
+	}
+	var capData linux.VfsNsCapData
+	if size == linux.XATTR_CAPS_SZ_3 {
+		capData.UnmarshalUnsafe(data)
+	} else {
+		capData.VfsCapData.UnmarshalUnsafe(data)
+		// rootid = 0 is correct for version 2 file capabilities.
 	}
-	capData.MagicEtc = binary.LittleEndian.Uint32(data[:4])
-	capData.Permitted = CapabilitySet(binary.LittleEndian.Uint32(data[4:8]))
-	capData.Inheritable = CapabilitySet(binary.LittleEndian.Uint32(data[8:12]))
-	// The version of the file capabilities takes first 4 bytes of the given
-	// slice.
-	version := capData.MagicEtc & linux.VFS_CAP_REVISION_MASK
-	switch {
-	case version == linux.VFS_CAP_REVISION_3 && size >= linux.XATTR_CAPS_SZ_3:
-		// Like version 2 file capabilities, version 3 capability
-		// masks are 64 bits in size.  In addition, version 3 has
-		// the root user ID of namespace, which is encoded in the
-		// security.capability extended attribute.
-		capData.RootID = binary.LittleEndian.Uint32(data[20:24])
-		fallthrough
-	case version == linux.VFS_CAP_REVISION_2 && size >= linux.XATTR_CAPS_SZ_2:
-		capData.Permitted += CapabilitySet(binary.LittleEndian.Uint32(data[12:16])) << 32
-		capData.Inheritable += CapabilitySet(binary.LittleEndian.Uint32(data[16:20])) << 32
-	default:
-		return VfsCapData{}, fmt.Errorf("VFS_CAP_REVISION_%v with cap data size %v is not supported", version, size)
+	// See security/commoncap.c:validheader().
+	if sansflags := capData.MagicEtc & ^uint32(linux.VFS_CAP_FLAGS_EFFECTIVE); (size == linux.XATTR_CAPS_SZ_2 && sansflags != linux.VFS_CAP_REVISION_2) ||
+		(size == linux.XATTR_CAPS_SZ_3 && sansflags != linux.VFS_CAP_REVISION_3) {
+		log.Warningf("the magic header of security.capability is invalid: magic=%#x, size=%d", capData.MagicEtc, size)
+		return linux.VfsNsCapData{}, linuxerr.EINVAL
 	}
 	return capData, nil
 }
 
 // CapsFromVfsCaps returns a copy of the given creds with new capability sets
 // by applying the file capability that is specified by capData.
-func CapsFromVfsCaps(capData VfsCapData, creds *Credentials) (*Credentials, error) {
+func CapsFromVfsCaps(capData linux.VfsNsCapData, creds *Credentials) (*Credentials, error) {
 	// If the real or effective user ID of the process is root,
 	// the file inheritable and permitted sets are ignored from
 	// `Capabilities and execution of programs by root` at capabilities(7).
 	if root := creds.UserNamespace.MapToKUID(RootUID); creds.EffectiveKUID == root || creds.RealKUID == root {
 		return creds, nil
 	}
 	effective := (capData.MagicEtc & linux.VFS_CAP_FLAGS_EFFECTIVE) > 0
-	permittedCaps := (capData.Permitted & creds.BoundingCaps) |
-		(capData.Inheritable & creds.InheritableCaps)
+	permittedCaps := (CapabilitySet(capData.Permitted()) & creds.BoundingCaps) |
+		(CapabilitySet(capData.Inheritable()) & creds.InheritableCaps)
 	// P'(effective) = effective ? P'(permitted) : P'(ambient).
 	// The ambient capabilities has not supported yet in gVisor,
 	// set effective capabilities to 0 when effective bit is false.
@@ -106,7 +88,7 @@ func CapsFromVfsCaps(capData VfsCapData, creds *Credentials) (*Credentials, erro
 		effectiveCaps = permittedCaps
 	}
 	// Insufficient to execute correctly.
-	if (capData.Permitted & ^permittedCaps) != 0 {
+	if (CapabilitySet(capData.Permitted()) & ^permittedCaps) != 0 {
 		return nil, linuxerr.EPERM
 	}
 	// If the capabilities don't change, it will return the creds'

pkg/sentry/kernel/auth/capability_set_test.go

@@ -15,7 +15,6 @@
 package auth
 
 import (
-	"fmt"
 	"testing"
 
 	"gvisor.dev/gvisor/pkg/abi/linux"
@@ -40,37 +39,62 @@ func credentialsWithCaps(creds *Credentials, permittedCaps, inheritableCaps, eff
 	return newCreds
 }
 
+func vfsNsCapDataFrom(effective bool, rootid uint32, permitted, inheritable CapabilitySet) linux.VfsNsCapData {
+	capData := vfsCapDataFrom(effective, permitted, inheritable)
+	capData.MagicEtc = linux.VFS_CAP_REVISION_3
+	if effective {
+		capData.MagicEtc |= linux.VFS_CAP_FLAGS_EFFECTIVE
+	}
+	capData.RootID = rootid
+	return capData
+}
+
+func vfsCapDataFrom(effective bool, permitted, inheritable CapabilitySet) linux.VfsNsCapData {
+	var capData linux.VfsNsCapData
+	capData.MagicEtc = linux.VFS_CAP_REVISION_2
+	if effective {
+		capData.MagicEtc |= linux.VFS_CAP_FLAGS_EFFECTIVE
+	}
+	capData.PermittedLo = uint32(permitted & 0xffffffff)
+	capData.PermittedHi = uint32(permitted >> 32)
+	capData.InheritableLo = uint32(inheritable & 0xffffffff)
+	capData.InheritableHi = uint32(inheritable >> 32)
+	return capData
+}
+
 func TestCapsFromVfsCaps(t *testing.T) {
 	for _, tst := range []struct {
 		name     string
-		capData  VfsCapData
+		capData  linux.VfsNsCapData
 		creds    *Credentials
 		wantCaps TaskCapabilities
 		wantErr  error
 	}{
 		{
 			name: "TestRootCredential",
-			capData: VfsCapData{
-				MagicEtc:    0x2000001,
-				Permitted:   CapabilitySetOf(linux.CAP_NET_ADMIN),
-				Inheritable: CapabilitySetOf(linux.CAP_NET_ADMIN),
-			},
-			creds: credentialsWithCaps(NewRootCredentials(NewRootUserNamespace()), AllCapabilities, CapabilitySetOf(linux.CAP_NET_RAW), AllCapabilities, CapabilitySetOf(linux.CAP_SYSLOG)),
+			capData: vfsCapDataFrom(
+				true,                                  // effective
+				CapabilitySetOf(linux.CAP_NET_ADMIN),  // permitted
+				CapabilitySetOf(linux.CAP_NET_ADMIN)), // inheritable
+			creds: credentialsWithCaps(
+				NewRootCredentials(NewRootUserNamespace()),
+				AllCapabilities,
+				CapabilitySetOf(linux.CAP_NET_RAW),
+				AllCapabilities,
+				CapabilitySetOf(linux.CAP_SYSLOG)),
 			wantCaps: TaskCapabilities{
 				PermittedCaps:   AllCapabilities,
 				InheritableCaps: CapabilitySetOf(linux.CAP_NET_RAW),
 				EffectiveCaps:   AllCapabilities,
 				BoundingCaps:    CapabilitySetOf(linux.CAP_SYSLOG),
 			},
-			wantErr: nil,
 		},
 		{
 			name: "TestPermittedAndInheritableCaps",
-			capData: VfsCapData{
-				MagicEtc:    0x2000001,
-				Permitted:   CapabilitySetOfMany([]linux.Capability{linux.CAP_CHOWN, linux.CAP_SETUID}),
-				Inheritable: CapabilitySetOfMany([]linux.Capability{linux.CAP_CHOWN, linux.CAP_SETGID}),
-			},
+			capData: vfsCapDataFrom(
+				true, // effective
+				CapabilitySetOfMany([]linux.Capability{linux.CAP_CHOWN, linux.CAP_SETUID}),  // permitted
+				CapabilitySetOfMany([]linux.Capability{linux.CAP_CHOWN, linux.CAP_SETGID})), // inheritable
 			creds: credentialsWithCaps(
 				NewUserCredentials(123, 321, nil, nil, NewRootUserNamespace()),
 				AllCapabilities,
@@ -83,15 +107,13 @@ func TestCapsFromVfsCaps(t *testing.T) {
 				EffectiveCaps:   CapabilitySetOfMany([]linux.Capability{linux.CAP_CHOWN, linux.CAP_SETUID, linux.CAP_SETGID}),
 				BoundingCaps:    AllCapabilities,
 			},
-			wantErr: nil,
 		},
 		{
 			name: "TestEffectiveBitOff",
-			capData: VfsCapData{
-				MagicEtc:    0x2000000,
-				Permitted:   CapabilitySetOfMany([]linux.Capability{linux.CAP_CHOWN, linux.CAP_SETUID}),
-				Inheritable: CapabilitySetOfMany([]linux.Capability{linux.CAP_CHOWN, linux.CAP_SETGID}),
-			},
+			capData: vfsCapDataFrom(
+				false, // effective
+				CapabilitySetOfMany([]linux.Capability{linux.CAP_CHOWN, linux.CAP_SETUID}),  // permitted
+				CapabilitySetOfMany([]linux.Capability{linux.CAP_CHOWN, linux.CAP_SETGID})), // inheritable
 			creds: credentialsWithCaps(
 				NewUserCredentials(123, 321, nil, nil, NewRootUserNamespace()),
 				AllCapabilities,
@@ -104,23 +126,20 @@ func TestCapsFromVfsCaps(t *testing.T) {
 				EffectiveCaps:   0,
 				BoundingCaps:    AllCapabilities,
 			},
-			wantErr: nil,
 		},
 		{
 			name: "TestInsufficientCaps",
-			capData: VfsCapData{
-				MagicEtc:    0x2000001,
-				Permitted:   CapabilitySetOfMany([]linux.Capability{linux.CAP_CHOWN, linux.CAP_SETUID}),
-				Inheritable: CapabilitySetOfMany([]linux.Capability{linux.CAP_CHOWN}),
-			},
+			capData: vfsCapDataFrom(
+				true, // effective
+				CapabilitySetOfMany([]linux.Capability{linux.CAP_CHOWN, linux.CAP_SETUID}), // permitted
+				CapabilitySetOf(linux.CAP_CHOWN)),                                          // inheritable
 			creds: credentialsWithCaps(
 				NewUserCredentials(123, 321, nil, nil, NewRootUserNamespace()),
 				AllCapabilities,
 				AllCapabilities,
 				AllCapabilities,
 				CapabilitySetOf(linux.CAP_CHOWN)),
-			wantCaps: TaskCapabilities{},
-			wantErr:  linuxerr.EPERM,
+			wantErr: linuxerr.EPERM,
 		},
 	} {
 		t.Run(tst.name, func(t *testing.T) {
@@ -150,47 +169,28 @@ func TestVfsCapData(t *testing.T) {
 	for _, tst := range []struct {
 		name    string
 		data    []byte
-		capData VfsCapData
+		capData linux.VfsNsCapData
 		wantErr error
 	}{
 		{
 			name:    "VfsCapRevision1",
-			data:    []byte{0, 0, 0, 1, 0, 16, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0},
-			capData: VfsCapData{},
-			wantErr: fmt.Errorf("VFS_CAP_REVISION_%v with cap data size %v is not supported", 0x1000000, 20),
+			data:    []byte{0, 0, 0, 1, 0, 16, 0, 0, 0, 0, 0, 0},
+			wantErr: linuxerr.EINVAL,
 		},
 		{
-			name: "VfsCapRevision2",
-			data: []byte{1, 0, 0, 2, 0, 32, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 4, 0, 0, 0},
-			capData: VfsCapData{
-				MagicEtc:    0x2000001,
-				Permitted:   CapabilitySetOf(linux.CAP_NET_RAW),
-				Inheritable: CapabilitySetOf(linux.CAP_SYSLOG),
-			},
-			wantErr: nil,
+			name:    "VfsCapRevision2WithEffective",
+			data:    []byte{1, 0, 0, 2, 0, 32, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 4, 0, 0, 0},
+			capData: vfsCapDataFrom(true, CapabilitySetOf(linux.CAP_NET_RAW), CapabilitySetOf(linux.CAP_SYSLOG)),
 		},
 		{
-			name: "VfsCapRevision3",
-			data: []byte{0, 0, 0, 3, 0, 0, 0, 0, 0, 16, 0, 0, 4, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0},
-			capData: VfsCapData{
-				MagicEtc:    0x3000000,
-				RootID:      1,
-				Permitted:   CapabilitySetOf(linux.CAP_SYSLOG),
-				Inheritable: CapabilitySetOf(linux.CAP_NET_ADMIN),
-			},
-			wantErr: nil,
+			name:    "VfsCapRevision3",
+			data:    []byte{0, 0, 0, 3, 0, 0, 0, 0, 0, 16, 0, 0, 4, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0},
+			capData: vfsNsCapDataFrom(false, 1, CapabilitySetOf(linux.CAP_SYSLOG), CapabilitySetOf(linux.CAP_NET_ADMIN)),
 		},
 		{
 			name:    "VfsCapRevisionNotSupported",
 			data:    []byte{0, 0, 0, 0xf, 0, 0, 0, 0, 0, 0, 0, 0, 4, 0, 0, 0, 0, 0, 0, 0},
-			capData: VfsCapData{},
-			wantErr: fmt.Errorf("VFS_CAP_REVISION_%v with cap data size %v is not supported", 0xf000000, 20),
-		},
-		{
-			name:    "VfsInvalidInput",
-			data:    []byte{0, 0, 0, 0},
-			capData: VfsCapData{},
-			wantErr: fmt.Errorf("the size of security.capability is too small, actual size: %v", 4),
+			wantErr: linuxerr.EINVAL,
 		},
 	} {
 		t.Run(tst.name, func(t *testing.T) {
@@ -200,11 +200,20 @@ func TestVfsCapData(t *testing.T) {
 					t.Errorf("VfsCapDataOf(%v) returned unexpected error %v", tst.data, tst.wantErr)
 				}
 				if tst.capData != capData {
-					t.Errorf("VfsCapDataOf(%v) = %v, want %v", tst.data, capData, tst.capData)
+					t.Errorf("VfsCapDataOf(%v) = %+v, want %+v", tst.data, capData, tst.capData)
 				}
 			} else if tst.wantErr == nil || tst.wantErr.Error() != err.Error() {
 				t.Errorf("VfsCapDataOf(%v) returned error %v, wantErr: %v", tst.data, err, tst.wantErr)
 			}
 		})
 	}
 }
+
+func TestXattrCapsSizeBytes(t *testing.T) {
+	if got := (*linux.VfsCapData)(nil).SizeBytes(); got != linux.XATTR_CAPS_SZ_2 {
+		t.Errorf("XATTR_CAPS_SZ_2 = %v, got %v", linux.XATTR_CAPS_SZ_2, got)
+	}
+	if got := (*linux.VfsNsCapData)(nil).SizeBytes(); got != linux.XATTR_CAPS_SZ_3 {
+		t.Errorf("XATTR_CAPS_SZ_3 = %v, got %v", linux.XATTR_CAPS_SZ_3, got)
+	}
+}

pkg/sentry/kernel/kernel.go

@@ -1088,15 +1088,15 @@ func (k *Kernel) CreateProcess(args CreateProcessArgs) (*ThreadGroup, ThreadID,
 	if se != nil {
 		return nil, 0, errors.New(se.String())
 	}
-	var capData auth.VfsCapData
+	var vfsCaps linux.VfsNsCapData
 	if len(image.FileCaps()) != 0 {
 		var err error
-		capData, err = auth.VfsCapDataOf([]byte(image.FileCaps()))
+		vfsCaps, err = auth.VfsCapDataOf([]byte(image.FileCaps()))
 		if err != nil {
 			return nil, 0, err
 		}
 	}
-	creds, err := auth.CapsFromVfsCaps(capData, args.Credentials)
+	creds, err := auth.CapsFromVfsCaps(vfsCaps, args.Credentials)
 	if err != nil {
 		return nil, 0, err
 	}