Support security.capability xattr for tmpfs.

This allows writing capabilities only to "security.capability" within the
security namespace. In goferfs, this is disallowed to prevent writes from
propagating to the underlying host filesystem.

PiperOrigin-RevId: 756009863

Author: ayushr2

images/basic/filecap/Dockerfile

@@ -2,4 +2,4 @@ FROM alpine
 
 RUN apk add libcap
 
-RUN cp  /bin/busybox /mnt/cat && setcap cap_net_admin+ep /mnt/cat
+RUN cp /bin/cat /mnt/cat && setcap cap_net_admin+ep /mnt/cat

pkg/abi/linux/capability.go

@@ -271,6 +271,18 @@ func (c *VfsCapData) Inheritable() uint64 {
 	return uint64(c.InheritableHi)<<32 | uint64(c.InheritableLo)
 }
 
+// IsRevision2 returns true if c is v2.
+func (c *VfsCapData) IsRevision2() bool {
+	return (c.MagicEtc & VFS_CAP_REVISION_MASK) == VFS_CAP_REVISION_2
+}
+
+// ToString marshals c into bytes and returns it as a string.
+func (c *VfsCapData) ToString() string {
+	buf := make([]byte, c.SizeBytes())
+	c.MarshalUnsafe(buf)
+	return string(buf)
+}
+
 // VfsNsCapData is equivalent to Linux's struct vfs_ns_cap_data.
 //
 // +marshal
@@ -279,6 +291,34 @@ type VfsNsCapData struct {
 	RootID uint32
 }
 
+// ConvertToV3 converts c to v3 file capabilities.
+func (c *VfsNsCapData) ConvertToV3(rootid uint32) {
+	c.RootID = rootid
+	if c.IsRevision2() {
+		// Change to v3 while retaining the effective bit.
+		c.MagicEtc = VFS_CAP_REVISION_3 | c.MagicEtc&VFS_CAP_FLAGS_EFFECTIVE
+	}
+}
+
+// ConvertToV2 converts c to v2 file capabilities.
+func (c *VfsNsCapData) ConvertToV2() {
+	c.RootID = 0
+	if !c.IsRevision2() {
+		// Change to v2 while retaining the effective bit.
+		c.MagicEtc = VFS_CAP_REVISION_2 | c.MagicEtc&VFS_CAP_FLAGS_EFFECTIVE
+	}
+}
+
+// ToString marshals c into bytes and returns it as a string.
+func (c *VfsNsCapData) ToString() string {
+	if c.IsRevision2() {
+		return c.VfsCapData.ToString()
+	}
+	buf := make([]byte, c.SizeBytes())
+	c.MarshalUnsafe(buf)
+	return string(buf)
+}
+
 // CapUserHeader is equivalent to Linux's cap_user_header_t.
 //
 // +marshal

pkg/abi/linux/xattr.go

@@ -26,6 +26,8 @@ const (
 	XATTR_SECURITY_PREFIX     = "security."
 	XATTR_SECURITY_PREFIX_LEN = len(XATTR_SECURITY_PREFIX)
 
+	XATTR_SECURITY_CAPABILITY = XATTR_SECURITY_PREFIX + "capability"
+
 	XATTR_SYSTEM_PREFIX     = "system."
 	XATTR_SYSTEM_PREFIX_LEN = len(XATTR_SYSTEM_PREFIX)
 

pkg/sentry/fsimpl/gofer/gofer.go

@@ -1456,6 +1456,10 @@ func (d *dentry) checkXattrPermissions(creds *auth.Credentials, name string, ats
 	if strings.HasPrefix(name, linux.XATTR_SYSTEM_PREFIX) || strings.HasPrefix(name, linux.XATTR_TRUSTED_PREFIX) {
 		return linuxerr.EOPNOTSUPP
 	}
+	// Do not allow writes to the "security" namespace on the host filesystem.
+	if ats.MayWrite() && strings.HasPrefix(name, linux.XATTR_SECURITY_PREFIX) {
+		return linuxerr.EOPNOTSUPP
+	}
 	mode := linux.FileMode(d.mode.Load())
 	kuid := auth.KUID(d.uid.Load())
 	kgid := auth.KGID(d.gid.Load())

pkg/sentry/fsimpl/tmpfs/tmpfs.go

@@ -193,7 +193,7 @@ func (fstype FilesystemType) GetFilesystem(ctx context.Context, vfsObj *vfs.Virt
 	allowXattrPrefix := map[string]struct{}{
 		linux.XATTR_TRUSTED_PREFIX: {},
 		linux.XATTR_USER_PREFIX:    {},
-		// The "security" namespace is allowed, but it always returns an error.
+		// Only the "security.capability" xattr is supported.
 		linux.XATTR_SECURITY_PREFIX: {},
 	}
 
@@ -876,7 +876,7 @@ func (i *inode) setXattr(creds *auth.Credentials, opts *vfs.SetXattrOptions) err
 	if err := vfs.GenericCheckPermissions(creds, vfs.MayWrite, mode, kuid, kgid); err != nil {
 		return err
 	}
-	return i.xattrs.SetXattr(creds, mode, kuid, opts)
+	return i.xattrs.SetXattr(creds, mode, kuid, kgid, opts)
 }
 
 func (i *inode) removeXattr(creds *auth.Credentials, name string) error {

pkg/sentry/kernel/auth/capability_set.go

@@ -103,6 +103,77 @@ func CapsFromVfsCaps(capData linux.VfsNsCapData, creds *Credentials) (*Credentia
 	return newCreds, nil
 }
 
+// FixupVfsCapDataOnSet may convert the given value to v3 file capabilities. It
+// is analogous to security/commoncap.c:cap_convert_nscap().
+func FixupVfsCapDataOnSet(creds *Credentials, value string, kuid KUID, kgid KGID) (string, error) {
+	vfsCaps, err := VfsCapDataOf([]byte(value))
+	if err != nil {
+		return "", err
+	}
+	if !creds.HasCapabilityOnFile(linux.CAP_SETFCAP, kuid, kgid) {
+		return "", linuxerr.EPERM
+	}
+	if vfsCaps.IsRevision2() && creds.HasCapabilityIn(linux.CAP_SETFCAP, creds.UserNamespace.Root()) {
+		// The user is privileged, allow the v2 write.
+		return value, nil
+	}
+	// Linux does the following UID gymnastics:
+	//   1. The userspace-provided rootID is relative to the caller's user
+	//      namespace. So vfsCaps.RootID is mapped down to KUID first.
+	//   2. If this is an ID-mapped mount, the result is mapped up using the
+	//      ID-map and then down again using the filesystem's owning user
+	//      namespace (inode->i_sb->s_user_ns). We again have a KUID result.
+	//   3. The result is mapped up using the filesystem's owning user namespace.
+	//
+	// The final result is saved in the xattr value at vfs_ns_cap_data->rootid.
+	// Since gVisor does not support ID-mapped mounts and all filesystems are
+	// owned by the initial user namespace, we can skip steps 2 and 3.
+	rootID := creds.UserNamespace.MapToKUID(UID(vfsCaps.RootID))
+	if !rootID.Ok() {
+		return "", linuxerr.EINVAL
+	}
+	vfsCaps.ConvertToV3(uint32(rootID))
+	return vfsCaps.ToString(), nil
+}
+
+// FixupVfsCapDataOnGet may convert the given value to v2 file capabilities. It
+// is analogous to security/commoncap.c:cap_inode_getsecurity().
+func FixupVfsCapDataOnGet(creds *Credentials, value string) (string, error) {
+	vfsCaps, err := VfsCapDataOf([]byte(value))
+	if err != nil {
+		return "", err
+	}
+	// Linux does the steps mentioned in FixupVfsCapDataOnSet in reverse. But
+	// since gVisor does not support ID-mapped mounts and all filesystems are
+	// owned by the initial user namespace, we only need to reverse step 1 here.
+	rootID := KUID(vfsCaps.RootID)
+	mappedRoot := creds.UserNamespace.MapFromKUID(rootID)
+	if mappedRoot.Ok() && mappedRoot != RootUID {
+		// Return this as v3.
+		vfsCaps.ConvertToV3(uint32(mappedRoot))
+		return vfsCaps.ToString(), nil
+	}
+	if !rootIDOwnsCurrentUserns(creds, rootID) {
+		return "", linuxerr.EOVERFLOW
+	}
+	// Return this as v2.
+	vfsCaps.ConvertToV2()
+	return vfsCaps.ToString(), nil
+}
+
+// Analogous to security/commoncap.c:rootid_owns_currentns().
+func rootIDOwnsCurrentUserns(creds *Credentials, rootID KUID) bool {
+	if !rootID.Ok() {
+		return false
+	}
+	for ns := creds.UserNamespace; ns != nil; ns = ns.parent {
+		if ns.MapFromKUID(rootID) == RootUID {
+			return true
+		}
+	}
+	return false
+}
+
 // TaskCapabilities represents all the capability sets for a task. Each of these
 // sets is explained in greater detail in capabilities(7).
 type TaskCapabilities struct {

pkg/sentry/kernel/auth/credentials.go

@@ -196,6 +196,13 @@ func (c *Credentials) HasCapability(cp linux.Capability) bool {
 	return c.HasCapabilityIn(cp, c.UserNamespace)
 }
 
+// HasCapabilityOnFile returns true if creds has the given capability with
+// respect to a file with the given owning UID and GID, consistent with Linux's
+// kernel/capability.c:capable_wrt_inode_uidgid().
+func (c *Credentials) HasCapabilityOnFile(cp linux.Capability, kuid KUID, kgid KGID) bool {
+	return c.HasCapability(cp) && c.UserNamespace.MapFromKUID(kuid).Ok() && c.UserNamespace.MapFromKGID(kgid).Ok()
+}
+
 // UseUID checks that c can use uid in its user namespace, then translates it
 // to the root user namespace.
 //

pkg/sentry/loader/loader.go

@@ -38,10 +38,6 @@ import (
 	"gvisor.dev/gvisor/pkg/usermem"
 )
 
-const (
-	securityCapability = linux.XATTR_SECURITY_PREFIX + "capability"
-)
-
 // LoadArgs holds specifications for an executable file to be loaded.
 type LoadArgs struct {
 	// MemoryManager is the memory manager to load the executable into.
@@ -268,7 +264,7 @@ func Load(ctx context.Context, args LoadArgs, extraAuxv []arch.AuxEntry, vdso *V
 		return ImageInfo{}, syserr.NewDynamic(fmt.Sprintf("failed to load %s: %v", args.Filename, err), syserr.FromError(err).ToLinux())
 	}
 	defer file.DecRef(ctx)
-	xattr, err := file.GetXattr(ctx, &vfs.GetXattrOptions{Name: securityCapability, Size: linux.XATTR_CAPS_SZ_3})
+	xattr, err := file.GetXattr(ctx, &vfs.GetXattrOptions{Name: linux.XATTR_SECURITY_CAPABILITY, Size: linux.XATTR_CAPS_SZ_3})
 	switch {
 	case linuxerr.Equals(linuxerr.ENODATA, err), linuxerr.Equals(linuxerr.ENOTSUP, err):
 		xattr = ""

pkg/sentry/vfs/memxattr/xattr.go

@@ -56,11 +56,14 @@ func (x *SimpleExtendedAttributes) GetXattr(creds *auth.Credentials, mode linux.
 	if opts.Size != 0 && uint64(len(value)) > opts.Size {
 		return "", linuxerr.ERANGE
 	}
+	if opts.Name == linux.XATTR_SECURITY_CAPABILITY {
+		return auth.FixupVfsCapDataOnGet(creds, value)
+	}
 	return value, nil
 }
 
 // SetXattr sets 'value' at 'name'.
-func (x *SimpleExtendedAttributes) SetXattr(creds *auth.Credentials, mode linux.FileMode, kuid auth.KUID, opts *vfs.SetXattrOptions) error {
+func (x *SimpleExtendedAttributes) SetXattr(creds *auth.Credentials, mode linux.FileMode, kuid auth.KUID, kgid auth.KGID, opts *vfs.SetXattrOptions) error {
 	if err := vfs.CheckXattrPermissions(creds, vfs.MayWrite, mode, kuid, opts.Name); err != nil {
 		return err
 	}
@@ -82,6 +85,13 @@ func (x *SimpleExtendedAttributes) SetXattr(creds *auth.Credentials, mode linux.
 		return linuxerr.ENODATA
 	}
 
+	if opts.Name == linux.XATTR_SECURITY_CAPABILITY {
+		var err error
+		opts.Value, err = auth.FixupVfsCapDataOnSet(creds, opts.Value, kuid, kgid)
+		if err != nil {
+			return err
+		}
+	}
 	x.xattrs[opts.Name] = opts.Value
 	return nil
 }

pkg/sentry/vfs/permissions.go

@@ -209,13 +209,13 @@ func CheckSetStat(ctx context.Context, creds *auth.Credentials, opts *SetStatOpt
 	}
 	if stat.Mask&linux.STATX_UID != 0 {
 		if !((creds.EffectiveKUID == kuid && auth.KUID(stat.UID) == kuid) ||
-			HasCapabilityOnFile(creds, linux.CAP_CHOWN, kuid, kgid)) {
+			creds.HasCapabilityOnFile(linux.CAP_CHOWN, kuid, kgid)) {
 			return linuxerr.EPERM
 		}
 	}
 	if stat.Mask&linux.STATX_GID != 0 {
 		if !((creds.EffectiveKUID == kuid && creds.InGroup(auth.KGID(stat.GID))) ||
-			HasCapabilityOnFile(creds, linux.CAP_CHOWN, kuid, kgid)) {
+			creds.HasCapabilityOnFile(linux.CAP_CHOWN, kuid, kgid)) {
 			return linuxerr.EPERM
 		}
 	}
@@ -249,7 +249,7 @@ func CheckDeleteSticky(creds *auth.Credentials, parentMode linux.FileMode, paren
 	}
 	if creds.EffectiveKUID == childKUID ||
 		creds.EffectiveKUID == parentKUID ||
-		HasCapabilityOnFile(creds, linux.CAP_FOWNER, childKUID, childKGID) {
+		creds.HasCapabilityOnFile(linux.CAP_FOWNER, childKUID, childKGID) {
 		return nil
 	}
 	return linuxerr.EPERM
@@ -265,13 +265,6 @@ func CanActAsOwner(creds *auth.Credentials, kuid auth.KUID) bool {
 	return creds.HasCapability(linux.CAP_FOWNER) && creds.UserNamespace.MapFromKUID(kuid).Ok()
 }
 
-// HasCapabilityOnFile returns true if creds has the given capability with
-// respect to a file with the given owning UID and GID, consistent with Linux's
-// kernel/capability.c:capable_wrt_inode_uidgid().
-func HasCapabilityOnFile(creds *auth.Credentials, cp linux.Capability, kuid auth.KUID, kgid auth.KGID) bool {
-	return creds.HasCapability(cp) && creds.UserNamespace.MapFromKUID(kuid).Ok() && creds.UserNamespace.MapFromKGID(kgid).Ok()
-}
-
 // CheckLimit enforces file size rlimits. It returns error if the write
 // operation must not proceed. Otherwise it returns the max length allowed to
 // without violating the limit.
@@ -297,6 +290,8 @@ func CheckLimit(ctx context.Context, offset, size int64) (int64, error) {
 //     must be returned by filesystem implementations.
 //   - Does not do inode permission checks. Filesystem implementations should
 //     handle inode permission checks as they may differ across implementations.
+//   - Writes in security namespace are not supported, except for writes to
+//     "security.capability", which are required to support file capabilities.
 func CheckXattrPermissions(creds *auth.Credentials, ats AccessTypes, mode linux.FileMode, kuid auth.KUID, name string) error {
 	switch {
 	case strings.HasPrefix(name, linux.XATTR_TRUSTED_PREFIX):
@@ -327,6 +322,9 @@ func CheckXattrPermissions(creds *auth.Credentials, ats AccessTypes, mode linux.
 		if ats.MayRead() {
 			return nil
 		}
+		if name == linux.XATTR_SECURITY_CAPABILITY {
+			return nil
+		}
 		return linuxerr.EOPNOTSUPP
 	}
 	return nil