From f95b94fbe3e557b16ed2b78c87e8936c0aeab6c5 Mon Sep 17 00:00:00 2001 From: Jamie Liu Date: Tue, 8 Jan 2019 12:51:04 -0800 Subject: Grant no initial capabilities to non-root UIDs. See modified comment in auth.NewUserCredentials(); compare to the behavior of setresuid(2) as implemented by //pkg/sentry/kernel/task_identity.go:kernel.Task.setKUIDsUncheckedLocked(). PiperOrigin-RevId: 228381765 Change-Id: I45238777c8f63fcf41b99fce3969caaf682fe408 --- pkg/sentry/kernel/auth/credentials.go | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) (limited to 'pkg/sentry/kernel') diff --git a/pkg/sentry/kernel/auth/credentials.go b/pkg/sentry/kernel/auth/credentials.go index de33f1953..a843b9aab 100644 --- a/pkg/sentry/kernel/auth/credentials.go +++ b/pkg/sentry/kernel/auth/credentials.go @@ -119,19 +119,24 @@ func NewUserCredentials(kuid KUID, kgid KGID, extraKGIDs []KGID, capabilities *T // Set additional GIDs. creds.ExtraKGIDs = append(creds.ExtraKGIDs, extraKGIDs...) - // Set capabilities. If capabilities aren't specified, we default to - // all capabilities. + // Set capabilities. if capabilities != nil { creds.PermittedCaps = capabilities.PermittedCaps creds.EffectiveCaps = capabilities.EffectiveCaps creds.BoundingCaps = capabilities.BoundingCaps creds.InheritableCaps = capabilities.InheritableCaps - // // TODO: Support ambient capabilities. + // TODO: Support ambient capabilities. } else { - // If no capabilities are specified, grant the same capabilities - // that NewRootCredentials does. - creds.PermittedCaps = AllCapabilities - creds.EffectiveCaps = AllCapabilities + // If no capabilities are specified, grant capabilities consistent with + // setresuid + setresgid from NewRootCredentials to the given uid and + // gid. + if kuid == RootKUID { + creds.PermittedCaps = AllCapabilities + creds.EffectiveCaps = AllCapabilities + } else { + creds.PermittedCaps = 0 + creds.EffectiveCaps = 0 + } creds.BoundingCaps = AllCapabilities } -- cgit v1.2.3