From 7ea2433d716172f160c9380ed0bb852fafe845a2 Mon Sep 17 00:00:00 2001
From: Pavel Zhukov <pzhukov@redhat.com>
Date: Thu, 21 Feb 2019 10:30:28 +0100
Subject: [PATCH 11/28] Drop unnecessary capabilities
dhclient (#517649, #546765), dhcpd/dhcrelay (#699713)
---
client/Makefile.am | 3 ++-
client/dhclient-script.8 | 10 ++++++++++
client/dhclient.8 | 29 +++++++++++++++++++++++++++++
client/dhclient.c | 24 ++++++++++++++++++++++++
configure.ac | 35 +++++++++++++++++++++++++++++++++++
relay/Makefile.am | 3 ++-
relay/dhcrelay.c | 29 +++++++++++++++++++++++++++++
7 files changed, 131 insertions(+), 2 deletions(-)
diff --git a/client/Makefile.am b/client/Makefile.am
index d177159..0689185 100644
--- a/client/Makefile.am
+++ b/client/Makefile.am
@@ -17,6 +17,7 @@ dhclient_LDADD = ../common/libdhcp.@A@ ../omapip/libomapi.@A@ \
@BINDLIBIRSDIR@/libirs.@A@ \
@BINDLIBDNSDIR@/libdns.@A@ \
@BINDLIBISCCFGDIR@/libisccfg.@A@ \
- @BINDLIBISCDIR@/libisc.@A@
+ @BINDLIBISCDIR@/libisc.@A@ \
+ $(CAPNG_LDADD)
man_MANS = dhclient.8 dhclient-script.8 dhclient.conf.5 dhclient.leases.5
EXTRA_DIST = $(man_MANS)
diff --git a/client/dhclient-script.8 b/client/dhclient-script.8
index 37ecdc5..1a88e0e 100644
--- a/client/dhclient-script.8
+++ b/client/dhclient-script.8
@@ -249,6 +249,16 @@ repeatedly initialized to the values provided by one server, and then
the other. Assuming the information provided by both servers is
valid, this shouldn't cause any real problems, but it could be
confusing.
+.PP
+Normally, if dhclient was compiled with libcap-ng support,
+dhclient drops most capabilities immediately upon startup.
+While more secure, this greatly restricts the additional actions that
+hooks in dhclient-script can take. For example, any daemons that
+dhclient-script starts or restarts will inherit the restricted
+capabilities as well, which may interfere with their correct operation.
+Thus, the
+.BI \-nc
+option can be used to prevent dhclient from dropping capabilities.
.SH SEE ALSO
dhclient(8), dhcpd(8), dhcrelay(8), dhclient.conf(5) and
dhclient.leases(5).
diff --git a/client/dhclient.8 b/client/dhclient.8
index 5029dac..bacf3bc 100644
--- a/client/dhclient.8
+++ b/client/dhclient.8
@@ -135,6 +135,9 @@ dhclient - Dynamic Host Configuration Protocol Client
.B -w
]
[
+.B -nc
+]
+[
.B -B
]
[
@@ -329,6 +332,32 @@ not to exit when it doesn't find any such interfaces. The
program can then be used to notify the client when a network interface
has been added or removed, so that the client can attempt to configure an IP
address on that interface.
+.TP
+.BI \-nc
+Do not drop capabilities.
+
+Normally, if
+.B dhclient
+was compiled with libcap-ng support,
+.B dhclient
+drops most capabilities immediately upon startup. While more secure,
+this greatly restricts the additional actions that hooks in
+.B dhclient-script (8)
+can take. (For example, any daemons that
+.B dhclient-script (8)
+starts or restarts will inherit the restricted capabilities as well,
+which may interfere with their correct operation.) Thus, the
+.BI \-nc
+option can be used to prevent
+.B dhclient
+from dropping capabilities.
+
+The
+.BI \-nc
+option is ignored if
+.B dhclient
+was not compiled with libcap-ng support.
+
.TP
.BI \-n
Do not configure any interfaces. This is most likely to be useful in
diff --git a/client/dhclient.c b/client/dhclient.c
index aefc119..b49fcb3 100644
--- a/client/dhclient.c
+++ b/client/dhclient.c
@@ -41,6 +41,10 @@
#include <sys/wait.h>
#include <limits.h>
+#ifdef HAVE_LIBCAP_NG
+#include <cap-ng.h>
+#endif
+
/*
* Defined in stdio.h when _GNU_SOURCE is set, but we don't want to define
* that when building ISC code.
@@ -272,6 +276,9 @@ main(int argc, char **argv) {
int timeout_arg = 0;
char *arg_conf = NULL;
int arg_conf_len = 0;
+#ifdef HAVE_LIBCAP_NG
+ int keep_capabilities = 0;
+#endif
/* Initialize client globals. */
memset(&default_duid, 0, sizeof(default_duid));
@@ -671,6 +678,10 @@ main(int argc, char **argv) {
dhclient_request_options = argv[i];
+ } else if (!strcmp(argv[i], "-nc")) {
+#ifdef HAVE_LIBCAP_NG
+ keep_capabilities = 1;
+#endif
} else if (argv[i][0] == '-') {
usage("Unknown command: %s", argv[i]);
} else if (interfaces_requested < 0) {
@@ -731,6 +742,19 @@ main(int argc, char **argv) {
path_dhclient_script = s;
}
+#ifdef HAVE_LIBCAP_NG
+ /* Drop capabilities */
+ if (!keep_capabilities) {
+ capng_clear(CAPNG_SELECT_CAPS);
+ capng_update(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED,
+ CAP_DAC_OVERRIDE); // Drop this someday
+ capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED,
+ CAP_NET_ADMIN, CAP_NET_RAW,
+ CAP_NET_BIND_SERVICE, CAP_SYS_ADMIN, -1);
+ capng_apply(CAPNG_SELECT_CAPS);
+ }
+#endif
+
/* Set up the initial dhcp option universe. */
initialize_common_option_spaces();
diff --git a/configure.ac b/configure.ac
index b2c306b..300117f 100644
--- a/configure.ac
+++ b/configure.ac
@@ -603,6 +603,41 @@ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[]], [[void foo() __attribute__((noreturn));
# Look for optional headers.
AC_CHECK_HEADERS(sys/socket.h net/if_dl.h net/if6.h regex.h)
+# look for capabilities library
+AC_ARG_WITH(libcap-ng,
+ [ --with-libcap-ng=[auto/yes/no] Add Libcap-ng support [default=auto]],,
+ with_libcap_ng=auto)
+
+# Check for Libcap-ng API
+#
+# libcap-ng detection
+if test x$with_libcap_ng = xno ; then
+ have_libcap_ng=no;
+else
+ # Start by checking for header file
+ AC_CHECK_HEADER(cap-ng.h, capng_headers=yes, capng_headers=no)
+
+ # See if we have libcap-ng library
+ AC_CHECK_LIB(cap-ng, capng_clear,
+ CAPNG_LDADD=-lcap-ng,)
+
+ # Check results are usable
+ if test x$with_libcap_ng = xyes -a x$CAPNG_LDADD = x ; then
+ AC_MSG_ERROR(libcap-ng support was requested and the library was not found)
+ fi
+ if test x$CAPNG_LDADD != x -a $capng_headers = no ; then
+ AC_MSG_ERROR(libcap-ng libraries found but headers are missing)
+ fi
+fi
+AC_SUBST(CAPNG_LDADD)
+AC_MSG_CHECKING(whether to use libcap-ng)
+if test x$CAPNG_LDADD != x ; then
+ AC_DEFINE(HAVE_LIBCAP_NG,1,[libcap-ng support])
+ AC_MSG_RESULT(yes)
+else
+ AC_MSG_RESULT(no)
+fi
+
# Solaris needs some libraries for functions
AC_SEARCH_LIBS(socket, [socket])
AC_SEARCH_LIBS(inet_ntoa, [nsl])
diff --git a/relay/Makefile.am b/relay/Makefile.am
index 5562b69..4c5cfa6 100644
--- a/relay/Makefile.am
+++ b/relay/Makefile.am
@@ -8,6 +8,7 @@ dhcrelay_LDADD = ../common/libdhcp.@A@ ../omapip/libomapi.@A@ \
@BINDLIBIRSDIR@/libirs.@A@ \
@BINDLIBDNSDIR@/libdns.@A@ \
@BINDLIBISCCFGDIR@/libisccfg.@A@ \
- @BINDLIBISCDIR@/libisc.@A@
+ @BINDLIBISCDIR@/libisc.@A@ \
+ $(CAPNG_LDADD)
man_MANS = dhcrelay.8
EXTRA_DIST = $(man_MANS)
diff --git a/relay/dhcrelay.c b/relay/dhcrelay.c
index a7b1286..0dc17d6 100644
--- a/relay/dhcrelay.c
+++ b/relay/dhcrelay.c
@@ -32,6 +32,11 @@
#include <sys/time.h>
#include <isc/file.h>
+#ifdef HAVE_LIBCAP_NG
+# include <cap-ng.h>
+ int keep_capabilities = 0;
+#endif
+
TIME default_lease_time = 43200; /* 12 hours... */
TIME max_lease_time = 86400; /* 24 hours... */
struct tree_cache *global_options[256];
@@ -614,6 +619,10 @@ main(int argc, char **argv) {
if (++i == argc)
usage(use_noarg, argv[i-1]);
dhcrelay_sub_id = argv[i];
+#endif
+ } else if (!strcmp(argv[i], "-nc")) {
+#ifdef HAVE_LIBCAP_NG
+ keep_capabilities = 1;
#endif
} else if (!strcmp(argv[i], "-pf")) {
if (++i == argc)
@@ -684,6 +693,17 @@ main(int argc, char **argv) {
#endif
}
+#ifdef HAVE_LIBCAP_NG
+ /* Drop capabilities */
+ if (!keep_capabilities) {
+ capng_clear(CAPNG_SELECT_BOTH);
+ capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED,
+ CAP_NET_RAW, CAP_NET_BIND_SERVICE, -1);
+ capng_apply(CAPNG_SELECT_BOTH);
+ log_info ("Dropped all unnecessary capabilities.");
+ }
+#endif
+
if (!quiet) {
log_info("%s %s", message, PACKAGE_VERSION);
log_info(copyright);
@@ -840,6 +860,15 @@ main(int argc, char **argv) {
signal(SIGTERM, dhcp_signal_handler); /* kill */
#endif
+#ifdef HAVE_LIBCAP_NG
+ /* Drop all capabilities */
+ if (!keep_capabilities) {
+ capng_clear(CAPNG_SELECT_BOTH);
+ capng_apply(CAPNG_SELECT_BOTH);
+ log_info ("Dropped all capabilities.");
+ }
+#endif
+
/* Start dispatching packets and timeouts... */
dispatch();
--
2.35.1