Fix handling of file capabilities.

All the following changes are compatible with what Linux does.
- Do not attempt to apply file capabilities when it is not present.
- If the rootID specified in v3 file capability struct does not own the
  current userns, then file capabilities are not applied.
- While applying file capabilities, EPERM is only returned if
  VFS_CAP_FLAGS_EFFECTIVE is set.
- Re-raise capabilities of root user as per capabilities(7). Compare
  security/commoncap.c:handle_privileged_root().

PiperOrigin-RevId: 761725759

Author: ayushr2

Makefile

@@ -417,7 +417,7 @@ iptables-tests: load-iptables $(RUNTIME_BIN)
 	@$(call install_runtime,$(RUNTIME),--net-raw)
 	@$(call test_runtime,$(RUNTIME),--test_env=TEST_NET_RAW=true //test/iptables:iptables_test)
 	@$(call install_runtime,$(RUNTIME)-nftables,--net-raw --reproduce-nftables)
-	@$(call test_runtime,$(RUNTIME)-nftables, --test_output=all //test/iptables:nftables_test --test_arg=$(RUNTIME)-nftables)
+	@$(call test_runtime,$(RUNTIME)-nftables,--test_env=TEST_NET_RAW=true --test_output=all //test/iptables:nftables_test)
 .PHONY: iptables-tests
 
 packetdrill-tests: load-packetdrill $(RUNTIME_BIN)

pkg/sentry/kernel/auth/BUILD

@@ -88,7 +88,10 @@ go_library(
         "user_namespace_mutex.go",
     ],
     marshal = True,
-    visibility = ["//pkg/sentry:internal"],
+    visibility = [
+        "//pkg/sentry:internal",
+        "//test/e2e:__subpackages__",
+    ],
     deps = [
         "//pkg/abi/linux",
         "//pkg/bits",

pkg/sentry/kernel/auth/capability_set.go

@@ -43,6 +43,16 @@ func CapabilitySetOfMany(cps []linux.Capability) CapabilitySet {
 	return CapabilitySet(cs)
 }
 
+// Add adds the given capability to the CapabilitySet.
+func (cs *CapabilitySet) Add(cp linux.Capability) {
+	*cs |= CapabilitySetOf(cp)
+}
+
+// Clear removes the given capability from the CapabilitySet.
+func (cs *CapabilitySet) Clear(cp linux.Capability) {
+	*cs &= ^CapabilitySetOf(cp)
+}
+
 // VfsCapDataOf returns a VfsCapData containing the file capabilities for the given slice of bytes.
 // For each field of the cap data, which are in the structure of either vfs_cap_data or vfs_ns_cap_data,
 // the bytes are ordered in little endian.
@@ -68,39 +78,28 @@ func VfsCapDataOf(data []byte) (linux.VfsNsCapData, error) {
 	return capData, nil
 }
 
-// CapsFromVfsCaps returns a copy of the given creds with new capability sets
-// by applying the file capability that is specified by capData.
-func CapsFromVfsCaps(capData linux.VfsNsCapData, creds *Credentials) (*Credentials, error) {
-	// If the real or effective user ID of the process is root,
-	// the file inheritable and permitted sets are ignored from
-	// `Capabilities and execution of programs by root` at capabilities(7).
-	if root := creds.UserNamespace.MapToKUID(RootUID); creds.EffectiveKUID == root || creds.RealKUID == root {
-		return creds, nil
-	}
-	effective := (capData.MagicEtc & linux.VFS_CAP_FLAGS_EFFECTIVE) > 0
-	permittedCaps := (CapabilitySet(capData.Permitted()) & creds.BoundingCaps) |
-		(CapabilitySet(capData.Inheritable()) & creds.InheritableCaps)
-	// P'(effective) = effective ? P'(permitted) : P'(ambient).
-	// The ambient capabilities has not supported yet in gVisor,
-	// set effective capabilities to 0 when effective bit is false.
-	effectiveCaps := CapabilitySet(0)
-	if effective {
-		effectiveCaps = permittedCaps
-	}
-	// Insufficient to execute correctly.
-	if (CapabilitySet(capData.Permitted()) & ^permittedCaps) != 0 {
-		return nil, linuxerr.EPERM
-	}
-	// If the capabilities don't change, it will return the creds'
-	// original copy.
-	if creds.PermittedCaps == permittedCaps && creds.EffectiveCaps == effectiveCaps {
-		return creds, nil
-	}
-	// The credentials object is immutable.
-	newCreds := creds.Fork()
-	newCreds.PermittedCaps = permittedCaps
-	newCreds.EffectiveCaps = effectiveCaps
-	return newCreds, nil
+// HandleVfsCaps updates creds based on the given vfsCaps. It returns two
+// booleans; the first indicates whether the effective flag is set, and the second
+// second indicates whether the file capability is applied.
+func HandleVfsCaps(vfsCaps linux.VfsNsCapData, creds *Credentials) (bool, bool, error) {
+	// gVisor does not support ID-mapped mounts and all filesystems are owned by
+	// the initial user namespace. So we an directly cast the root ID to KUID.
+	rootID := KUID(vfsCaps.RootID)
+	if !rootIDOwnsCurrentUserns(creds, rootID) {
+		// Linux skips vfs caps in this situation.
+		return false, false, nil
+	}
+	// Note that ambient capabilities are not yet supported in gVisor.
+	// P'(permitted) = (P(inheritable) & F(inheritable)) | (F(permitted) & P(bounding)) | P'(ambient)
+	creds.PermittedCaps = (CapabilitySet(vfsCaps.Permitted()) & creds.BoundingCaps) |
+		(CapabilitySet(vfsCaps.Inheritable()) & creds.InheritableCaps)
+	effective := (vfsCaps.MagicEtc & linux.VFS_CAP_FLAGS_EFFECTIVE) > 0
+	// Insufficient to execute correctly. Linux only returns EPERM when effective
+	// flag is set.
+	if effective && (CapabilitySet(vfsCaps.Permitted()) & ^creds.PermittedCaps) != 0 {
+		return effective, true, linuxerr.EPERM
+	}
+	return effective, true, nil
 }
 
 // FixupVfsCapDataOnSet may convert the given value to v3 file capabilities. It
@@ -174,6 +173,51 @@ func rootIDOwnsCurrentUserns(creds *Credentials, rootID KUID) bool {
 	return false
 }
 
+// HandlePrivilegedRoot updates creds for a privileged root user as per
+// `Capabilities and execution of programs by root` in capabilities(7).
+// It returns true if the file effective bit should be considered set.
+func HandlePrivilegedRoot(creds *Credentials, hasVFSCaps bool, filename string) bool {
+	// gVisor currently does not support SECURE_NOROOT secure bit since
+	// PR_SET_SECUREBITS is not supported. So no need to check here.
+	root := creds.UserNamespace.MapToKUID(RootUID)
+	if hasVFSCaps && creds.RealKUID != root && creds.EffectiveKUID == root {
+		log.Warningf("File %q has both SUID bit and file capabilities set, not raising all capabilities.", filename)
+		return false
+	}
+	if creds.RealKUID == root || creds.EffectiveKUID == root {
+		// P'(permitted) = P(inheritable) | P(bounding)
+		creds.PermittedCaps = creds.BoundingCaps | creds.InheritableCaps
+	}
+	// Linux only sets the effective bit if the effective KUID is root.
+	return creds.EffectiveKUID == root
+}
+
+// UpdateCredsForNewTask updates creds for a new task as per capabilities(7).
+func UpdateCredsForNewTask(creds *Credentials, fileCaps string, filename string) error {
+	// Clear the permitted capability set. It is initialized below via
+	// HandleVfsCaps() and HandlePrivilegedRoot().
+	creds.PermittedCaps = 0
+	hasVFSCaps := false
+	setEffective := false
+	if len(fileCaps) != 0 {
+		vfsCaps, err := VfsCapDataOf([]byte(fileCaps))
+		if err != nil {
+			return err
+		}
+		setEffective, hasVFSCaps, err = HandleVfsCaps(vfsCaps, creds)
+		if err != nil {
+			return err
+		}
+	}
+	setEffective = HandlePrivilegedRoot(creds, hasVFSCaps, filename) || setEffective
+	// P'(effective) = effective ? P'(permitted) : P'(ambient).
+	creds.EffectiveCaps = 0
+	if setEffective {
+		creds.EffectiveCaps = creds.PermittedCaps
+	}
+	return nil
+}
+
 // TaskCapabilities represents all the capability sets for a task. Each of these
 // sets is explained in greater detail in capabilities(7).
 type TaskCapabilities struct {

pkg/sentry/kernel/auth/capability_set_test.go

@@ -21,22 +21,14 @@ import (
 	"gvisor.dev/gvisor/pkg/errors/linuxerr"
 )
 
-// capsEquals returns true when the given creds' capabilities match the given caps.
-func capsEquals(creds *Credentials, caps TaskCapabilities) bool {
-	return creds.PermittedCaps == caps.PermittedCaps &&
-		creds.InheritableCaps == caps.InheritableCaps &&
-		creds.EffectiveCaps == caps.EffectiveCaps &&
-		creds.BoundingCaps == caps.BoundingCaps
-}
-
-// credentialsWithCaps returns a copy of creds with the given capabilities.
-func credentialsWithCaps(creds *Credentials, permittedCaps, inheritableCaps, effectiveCaps, boundingCaps CapabilitySet) *Credentials {
-	newCreds := creds.Fork()
-	newCreds.PermittedCaps = permittedCaps
-	newCreds.InheritableCaps = inheritableCaps
-	newCreds.EffectiveCaps = effectiveCaps
-	newCreds.BoundingCaps = boundingCaps
-	return newCreds
+// credentialsWithCaps creates a credentials object with the given capabilities.
+func credentialsWithCaps(inheritable, bounding CapabilitySet) *Credentials {
+	creds := NewRootCredentials(NewRootUserNamespace())
+	creds.PermittedCaps = 0
+	creds.InheritableCaps = inheritable
+	creds.EffectiveCaps = 0
+	creds.BoundingCaps = bounding
+	return creds
 }
 
 func vfsNsCapDataFrom(effective bool, rootid uint32, permitted, inheritable CapabilitySet) linux.VfsNsCapData {
@@ -64,102 +56,68 @@ func vfsCapDataFrom(effective bool, permitted, inheritable CapabilitySet) linux.
 
 func TestCapsFromVfsCaps(t *testing.T) {
 	for _, tst := range []struct {
-		name     string
-		capData  linux.VfsNsCapData
-		creds    *Credentials
-		wantCaps TaskCapabilities
-		wantErr  error
+		name          string
+		capData       linux.VfsNsCapData
+		creds         *Credentials
+		wantPermitted CapabilitySet
+		wantEffective bool
+		wantErr       error
 	}{
 		{
-			name: "TestRootCredential",
+			name: "TestSamePermittedAndInheritableCaps",
 			capData: vfsCapDataFrom(
 				true,                                  // effective
 				CapabilitySetOf(linux.CAP_NET_ADMIN),  // permitted
 				CapabilitySetOf(linux.CAP_NET_ADMIN)), // inheritable
-			creds: credentialsWithCaps(
-				NewRootCredentials(NewRootUserNamespace()),
-				AllCapabilities,
-				CapabilitySetOf(linux.CAP_NET_RAW),
-				AllCapabilities,
-				CapabilitySetOf(linux.CAP_SYSLOG)),
-			wantCaps: TaskCapabilities{
-				PermittedCaps:   AllCapabilities,
-				InheritableCaps: CapabilitySetOf(linux.CAP_NET_RAW),
-				EffectiveCaps:   AllCapabilities,
-				BoundingCaps:    CapabilitySetOf(linux.CAP_SYSLOG),
-			},
+			creds:         credentialsWithCaps(AllCapabilities, AllCapabilities),
+			wantPermitted: CapabilitySetOf(linux.CAP_NET_ADMIN),
+			wantEffective: true,
 		},
 		{
-			name: "TestPermittedAndInheritableCaps",
+			name: "TestDifferentPermittedAndInheritableCaps",
 			capData: vfsCapDataFrom(
 				true, // effective
 				CapabilitySetOfMany([]linux.Capability{linux.CAP_CHOWN, linux.CAP_SETUID}),  // permitted
 				CapabilitySetOfMany([]linux.Capability{linux.CAP_CHOWN, linux.CAP_SETGID})), // inheritable
-			creds: credentialsWithCaps(
-				NewUserCredentials(123, 321, nil, nil, NewRootUserNamespace()),
-				AllCapabilities,
-				AllCapabilities,
-				AllCapabilities,
-				AllCapabilities),
-			wantCaps: TaskCapabilities{
-				PermittedCaps:   CapabilitySetOfMany([]linux.Capability{linux.CAP_CHOWN, linux.CAP_SETUID, linux.CAP_SETGID}),
-				InheritableCaps: AllCapabilities,
-				EffectiveCaps:   CapabilitySetOfMany([]linux.Capability{linux.CAP_CHOWN, linux.CAP_SETUID, linux.CAP_SETGID}),
-				BoundingCaps:    AllCapabilities,
-			},
+			creds:         credentialsWithCaps(AllCapabilities, AllCapabilities),
+			wantPermitted: CapabilitySetOfMany([]linux.Capability{linux.CAP_CHOWN, linux.CAP_SETUID, linux.CAP_SETGID}),
+			wantEffective: true,
 		},
 		{
 			name: "TestEffectiveBitOff",
 			capData: vfsCapDataFrom(
 				false, // effective
 				CapabilitySetOfMany([]linux.Capability{linux.CAP_CHOWN, linux.CAP_SETUID}),  // permitted
 				CapabilitySetOfMany([]linux.Capability{linux.CAP_CHOWN, linux.CAP_SETGID})), // inheritable
-			creds: credentialsWithCaps(
-				NewUserCredentials(123, 321, nil, nil, NewRootUserNamespace()),
-				AllCapabilities,
-				AllCapabilities,
-				AllCapabilities,
-				AllCapabilities),
-			wantCaps: TaskCapabilities{
-				PermittedCaps:   CapabilitySetOfMany([]linux.Capability{linux.CAP_CHOWN, linux.CAP_SETUID, linux.CAP_SETGID}),
-				InheritableCaps: AllCapabilities,
-				EffectiveCaps:   0,
-				BoundingCaps:    AllCapabilities,
-			},
+			creds:         credentialsWithCaps(AllCapabilities, AllCapabilities),
+			wantPermitted: CapabilitySetOfMany([]linux.Capability{linux.CAP_CHOWN, linux.CAP_SETUID, linux.CAP_SETGID}),
+			wantEffective: false,
 		},
 		{
 			name: "TestInsufficientCaps",
 			capData: vfsCapDataFrom(
 				true, // effective
 				CapabilitySetOfMany([]linux.Capability{linux.CAP_CHOWN, linux.CAP_SETUID}), // permitted
 				CapabilitySetOf(linux.CAP_CHOWN)),                                          // inheritable
-			creds: credentialsWithCaps(
-				NewUserCredentials(123, 321, nil, nil, NewRootUserNamespace()),
-				AllCapabilities,
-				AllCapabilities,
-				AllCapabilities,
-				CapabilitySetOf(linux.CAP_CHOWN)),
+			creds:   credentialsWithCaps(AllCapabilities, CapabilitySetOf(linux.CAP_CHOWN)),
 			wantErr: linuxerr.EPERM,
 		},
 	} {
 		t.Run(tst.name, func(t *testing.T) {
-			newCreds, err := CapsFromVfsCaps(tst.capData, tst.creds)
+			setEff, _, err := HandleVfsCaps(tst.capData, tst.creds)
 			if err == nil {
 				if tst.wantErr != nil {
-					t.Errorf("CapsFromVfsCaps(%v, %v) returned unexpected error %v", tst.capData, tst.creds, tst.wantErr)
+					t.Errorf("CapsFromVfsCaps(%v) returned unexpected error %v", tst.capData, tst.wantErr)
+				}
+				if tst.creds.PermittedCaps != tst.wantPermitted {
+					t.Errorf("CapsFromVfsCaps(%v) set PermittedCaps to: %#x, want capabilities: %#x",
+						tst.capData, tst.creds.PermittedCaps, tst.wantPermitted)
 				}
-				if !capsEquals(newCreds, tst.wantCaps) {
-					t.Errorf("CapsFromVfsCaps(%v, %v) returned capabilities: %v, want capabilities: %v",
-						tst.capData, tst.creds,
-						TaskCapabilities{
-							PermittedCaps:   newCreds.PermittedCaps,
-							InheritableCaps: newCreds.InheritableCaps,
-							EffectiveCaps:   newCreds.EffectiveCaps,
-							BoundingCaps:    newCreds.BoundingCaps,
-						}, tst.wantCaps)
+				if setEff != tst.wantEffective {
+					t.Errorf("CapsFromVfsCaps(%v) returned effective=%t, want: %t", tst.capData, setEff, tst.wantEffective)
 				}
 			} else if tst.wantErr == nil || tst.wantErr.Error() != err.Error() {
-				t.Errorf("CapsFromVfsCaps(%v, %v) returned error %v, wantErr: %v", tst.capData, tst.creds, err, tst.wantErr)
+				t.Errorf("CapsFromVfsCaps(%v) returned error %v, wantErr: %v", tst.capData, err, tst.wantErr)
 			}
 		})
 	}

pkg/sentry/kernel/kernel.go

@@ -1088,16 +1088,7 @@ func (k *Kernel) CreateProcess(args CreateProcessArgs) (*ThreadGroup, ThreadID,
 	if se != nil {
 		return nil, 0, errors.New(se.String())
 	}
-	var vfsCaps linux.VfsNsCapData
-	if len(image.FileCaps()) != 0 {
-		var err error
-		vfsCaps, err = auth.VfsCapDataOf([]byte(image.FileCaps()))
-		if err != nil {
-			return nil, 0, err
-		}
-	}
-	creds, err := auth.CapsFromVfsCaps(vfsCaps, args.Credentials)
-	if err != nil {
+	if err := auth.UpdateCredsForNewTask(args.Credentials, image.FileCaps(), args.Filename); err != nil {
 		return nil, 0, err
 	}
 	args.FDTable.IncRef()
@@ -1109,7 +1100,7 @@ func (k *Kernel) CreateProcess(args CreateProcessArgs) (*ThreadGroup, ThreadID,
 		TaskImage:        image,
 		FSContext:        fsContext,
 		FDTable:          args.FDTable,
-		Credentials:      creds,
+		Credentials:      args.Credentials,
 		NetworkNamespace: k.RootNetworkNamespace(),
 		AllowedCPUMask:   sched.NewFullCPUSet(k.applicationCores),
 		UTSNamespace:     args.UTSNamespace,

pkg/sentry/loader/loader.go

@@ -264,10 +264,13 @@ func Load(ctx context.Context, args LoadArgs, extraAuxv []arch.AuxEntry, vdso *V
 		return ImageInfo{}, syserr.NewDynamic(fmt.Sprintf("failed to load %s: %v", args.Filename, err), syserr.FromError(err).ToLinux())
 	}
 	defer file.DecRef(ctx)
-	xattr, err := file.GetXattr(ctx, &vfs.GetXattrOptions{Name: linux.XATTR_SECURITY_CAPABILITY, Size: linux.XATTR_CAPS_SZ_3})
+	fileCaps, err := file.GetXattr(ctx, &vfs.GetXattrOptions{Name: linux.XATTR_SECURITY_CAPABILITY, Size: linux.XATTR_CAPS_SZ_3})
 	switch {
-	case linuxerr.Equals(linuxerr.ENODATA, err), linuxerr.Equals(linuxerr.ENOTSUP, err):
-		xattr = ""
+	case linuxerr.Equals(linuxerr.ENODATA, err), linuxerr.Equals(linuxerr.EOPNOTSUPP, err):
+		// Linux converts EOPNOTSUPP to ENODATA in
+		// security/commoncap.c:get_vfs_caps_from_disk(). We communicate the lack
+		// of file capabilities by an empty string.
+		fileCaps = ""
 	case err != nil:
 		return ImageInfo{}, syserr.NewDynamic(fmt.Sprintf("failed to read file capabilities of %s: %v", args.Filename, err), syserr.FromError(err).ToLinux())
 	}
@@ -355,6 +358,6 @@ func Load(ctx context.Context, args LoadArgs, extraAuxv []arch.AuxEntry, vdso *V
 		OS:       loaded.os,
 		Arch:     ac,
 		Name:     name,
-		FileCaps: xattr,
+		FileCaps: fileCaps,
 	}, nil
 }

runsc/container/BUILD

@@ -77,7 +77,6 @@ go_test(
     tags = ["requires-kvm"],
     deps = [
         "//pkg/abi/linux",
-        "//pkg/bits",
         "//pkg/cleanup",
         "//pkg/log",
         "//pkg/sentry/control",

runsc/container/container_test.go

@@ -37,7 +37,6 @@ import (
 	specs "github.com/opencontainers/runtime-spec/specs-go"
 	"golang.org/x/sys/unix"
 	"gvisor.dev/gvisor/pkg/abi/linux"
-	"gvisor.dev/gvisor/pkg/bits"
 	"gvisor.dev/gvisor/pkg/cleanup"
 	"gvisor.dev/gvisor/pkg/log"
 	"gvisor.dev/gvisor/pkg/sentry/control"
@@ -2482,7 +2481,7 @@ func TestMountSymlink(t *testing.T) {
 
 // Check that --net-raw disables the CAP_NET_RAW capability.
 func TestNetRaw(t *testing.T) {
-	capNetRaw := strconv.FormatUint(bits.MaskOf64(int(linux.CAP_NET_RAW)), 10)
+	capNetRaw := strconv.FormatUint(uint64(auth.CapabilitySetOf(linux.CAP_NET_RAW)), 10)
 	app, err := testutil.FindFile("test/cmd/test_app/test_app")
 	if err != nil {
 		t.Fatal("error finding test_app:", err)

runsc/specutils/BUILD

@@ -18,7 +18,6 @@ go_library(
     visibility = ["//:sandbox"],
     deps = [
         "//pkg/abi/linux",
-        "//pkg/bits",
         "//pkg/log",
         "//pkg/sentry/devices/nvproxy/nvconf",
         "//pkg/sentry/kernel/auth",