util: fix clear_emulator_capabilities=0

My commit 7a2e845a865dc7fa82d2393ea2a770cfc8cf00b4 (and its
prerequisites) managed to effectively ignore the
clear_emulator_capabilities setting in qemu.conf (visible in the code
as the VIR_EXEC_CLEAR_CAPS flag when qemu is being exec'ed), with the
result that the capabilities are always cleared regardless of the
qemu.conf setting. This patch fixes it by passing the flag through to
virSetUIDGIDWithCaps(), which uses it to decide whether or not to
clear existing capabilities before adding in those that were
requested.

Note that the existing capabilities are *always* cleared if the new
process is going to run as non-root, since the whole point of running
non-root is to have the capabilities removed (it's still possible to
maintain individual capabilities as needed using the capBits argument
though).

diff --git a/src/util/vircommand.c b/src/util/vircommand.c
index f672101f2252fc6770581862babda18d76506642..ac56a638a89780d19ae56358398d7818bbdd040f 100644 (file)
--- a/src/util/vircommand.c
+++ b/src/util/vircommand.c
@@ -639,8 +639,10 @@ virExec(virCommandPtr cmd)
         cmd->capabilities || (cmd->flags & VIR_EXEC_CLEAR_CAPS)) {
         VIR_DEBUG("Setting child uid:gid to %d:%d with caps %llx",
                   (int)cmd->uid, (int)cmd->gid, cmd->capabilities);
-        if (virSetUIDGIDWithCaps(cmd->uid, cmd->gid, cmd->capabilities) < 0)
+        if (virSetUIDGIDWithCaps(cmd->uid, cmd->gid, cmd->capabilities,
+                                 !!(cmd->flags & VIR_EXEC_CLEAR_CAPS)) < 0) {
             goto fork_error;
+        }
     }
 
     if (cmd->pwd) {

diff --git a/src/util/virutil.c b/src/util/virutil.c
index 4605c78ca73a10896d02461aa65baa2805daf75e..a0d15302dcdd715e1ecf05c62e55583ad8280d63 100644 (file)
--- a/src/util/virutil.c
+++ b/src/util/virutil.c
@@ -2998,18 +2998,21 @@ virGetGroupName(gid_t gid ATTRIBUTE_UNUSED)
  * errno).
  */
 int
-virSetUIDGIDWithCaps(uid_t uid, gid_t gid, unsigned long long capBits)
+virSetUIDGIDWithCaps(uid_t uid, gid_t gid, unsigned long long capBits,
+                     bool clearExistingCaps)
 {
     int ii, capng_ret, ret = -1;
     bool need_setgid = false, need_setuid = false;
     bool need_prctl = false, need_setpcap = false;
 
-    /* First drop all caps except those in capBits + the extra ones we
-     * need to change uid/gid and change the capabilities bounding
-     * set.
+    /* First drop all caps (unless the requested uid is "unchanged" or
+     * root and clearExistingCaps wasn't requested), then add back
+     * those in capBits + the extra ones we need to change uid/gid and
+     * change the capabilities bounding set.
      */
 
-    capng_clear(CAPNG_SELECT_BOTH);
+    if (clearExistingCaps || (uid != -1 && uid != 0))
+       capng_clear(CAPNG_SELECT_BOTH);
 
     for (ii = 0; ii <= CAP_LAST_CAP; ii++) {
         if (capBits & (1ULL << ii)) {
@@ -3095,7 +3098,8 @@ cleanup:
 
 int
 virSetUIDGIDWithCaps(uid_t uid, gid_t gid,
-                     unsigned long long capBits ATTRIBUTE_UNUSED)
+                     unsigned long long capBits ATTRIBUTE_UNUSED,
+                     bool clearExistingCaps ATTRIBUTE_UNUSED)
 {
     return virSetUIDGID(uid, gid);
 }

diff --git a/src/util/virutil.h b/src/util/virutil.h
index 2dc34038211986acfd6a84b54c0cd8f012864f32..665ad78edd3fa2ee8c7ec3b36b7dc35bfa5b9a0d 100644 (file)
--- a/src/util/virutil.h
+++ b/src/util/virutil.h
@@ -54,7 +54,8 @@ int virPipeReadUntilEOF(int outfd, int errfd,
                         char **outbuf, char **errbuf);
 
 int virSetUIDGID(uid_t uid, gid_t gid);
-int virSetUIDGIDWithCaps(uid_t uid, gid_t gid, unsigned long long capBits);
+int virSetUIDGIDWithCaps(uid_t uid, gid_t gid, unsigned long long capBits,
+                         bool clearExistingCaps);
 
 int virFileReadLimFD(int fd, int maxlen, char **buf) ATTRIBUTE_RETURN_CHECK;