[Spice-commits] 2 commits - build-aux/setcap-or-suid meson.build meson_options.txt src/meson.build src/spice-client-glib-usb-acl-helper.c

GitLab Mirror gitlab-mirror at kemper.freedesktop.org
Thu Apr 16 09:08:16 UTC 2020 

 build-aux/setcap-or-suid               |   10 ++++++++++
 meson.build                            |    6 ++++++
 meson_options.txt                      |    4 ++++
 src/meson.build                        |    2 +-
 src/spice-client-glib-usb-acl-helper.c |   32 ++++++++++++++++++++++++++++----
 5 files changed, 49 insertions(+), 5 deletions(-)

New commits:
commit c27f2874a2f6f93be6fcba5f8234957eec93229c
Author: Marc-André Lureau <marcandre.lureau at redhat.com>
Date:   Thu Apr 9 12:39:57 2020 +0200

    usb-acl-helper: also drop capabilities with libcap-ng
    
    On file systems without capabilities attributes, drop capabilities at
    runtime from the start.
    
    Signed-off-by: Marc-André Lureau <marcandre.lureau at redhat.com>
    Acked-by: Frediano Ziglio <fziglio at redhat.com>

diff --git a/meson.build b/meson.build
index 01755be..91c6ec2 100644
--- a/meson.build
+++ b/meson.build
@@ -191,6 +191,12 @@ if d1.found() and d2.found() and d3.found()
   spice_gtk_has_usbredir = true
 endif
 
+d = dependency('libcap-ng', required : get_option('libcap-ng'))
+if d.found()
+  spice_gtk_config_data.set('USE_LIBCAP_NG', '1')
+  spice_acl_deps += d
+endif
+
 # polkit
 spice_gtk_has_polkit = false
 d = dependency('polkit-gobject-1', version : '>= 0.101', required : get_option('polkit'))
diff --git a/meson_options.txt b/meson_options.txt
index 7d2ea30..88ca9b4 100644
--- a/meson_options.txt
+++ b/meson_options.txt
@@ -15,6 +15,10 @@ option('usbredir',
     type : 'feature',
     description : 'Enable usbredir support')
 
+option('libcap-ng',
+       type : 'feature',
+       description: 'Enable libcap-ng support for the USB acl helper')
+
 option('polkit',
     type : 'feature',
     description : 'Enable PolicyKit support for the USB acl helper')
diff --git a/src/spice-client-glib-usb-acl-helper.c b/src/spice-client-glib-usb-acl-helper.c
index 4bfe96e..17113e6 100644
--- a/src/spice-client-glib-usb-acl-helper.c
+++ b/src/spice-client-glib-usb-acl-helper.c
@@ -32,6 +32,9 @@
 #include <gio/gunixinputstream.h>
 #include <polkit/polkit.h>
 #include <sys/acl.h>
+#ifdef USE_LIBCAP_NG
+#include <cap-ng.h>
+#endif
 
 #define FATAL_ERROR(...) \
     do { \
@@ -288,15 +291,36 @@ int main(void)
     pid_t parent_pid;
     GInputStream *stdin_unix_stream;
 
-  /* Nuke the environment to get a well-known and sanitized
-   * environment to avoid attacks via e.g. the DBUS_SYSTEM_BUS_ADDRESS
-   * environment variable and similar.
-   */
+    /* Nuke the environment to get a well-known and sanitized
+     * environment to avoid attacks via e.g. the DBUS_SYSTEM_BUS_ADDRESS
+     * environment variable and similar.
+     */
     if (clearenv () != 0) {
         FATAL_ERROR("Error clearing environment: %s\n", g_strerror (errno));
         return 1;
     }
 
+#ifdef USE_LIBCAP_NG
+    /* When SUID root, keep only CAP_FOWNER and change credentials */
+    if (geteuid() == 0 && getuid() != geteuid()) {
+        int rv;
+
+        capng_clear(CAPNG_SELECT_BOTH);
+        rv = capng_update(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED, CAP_FOWNER);
+        if (rv < 0) {
+            FATAL_ERROR("Failed to update the capabilities: %d\n", rv);
+            return 1;
+        }
+
+        rv = capng_change_id(getuid(), getgid(), CAPNG_CLEAR_BOUNDING);
+        if (rv < 0) {
+            FATAL_ERROR("Failed to drop capabilities: %d\n", rv);
+            return 1;
+        }
+    }
+#endif
+
+
     loop = g_main_loop_new(NULL, FALSE);
 
     authority = polkit_authority_get_sync(NULL, NULL);
commit 09111bd1a4e8969863e592717db936d940093521
Author: Marc-André Lureau <marcandre.lureau at redhat.com>
Date:   Thu Apr 9 02:12:04 2020 +0200

    spice-client-glib-usb-acl-helper doesn't need suid root
    
    A privileged executable should operate with the least amount of
    privileges possible. For spice-client-glib-usb-acl-helper, this is
    CAP_FOWNER for acl_set_file() to succeed.
    
    Signed-off-by: Marc-André Lureau <marcandre.lureau at redhat.com>
    Acked-by: Frediano Ziglio <fziglio at redhat.com>

diff --git a/build-aux/setcap-or-suid b/build-aux/setcap-or-suid
new file mode 100755
index 0000000..b35bc84
--- /dev/null
+++ b/build-aux/setcap-or-suid
@@ -0,0 +1,10 @@
+#!/bin/sh
+
+file="$DESTDIR$1"
+caps="$2"
+
+setcap "$caps" "$file" && exit 0
+
+echo "Warning: setcap failed, falling back on suid!" >&2
+chown root:root "$file"
+chmod u+s "$file"
diff --git a/src/meson.build b/src/meson.build
index d968720..dc78c94 100644
--- a/src/meson.build
+++ b/src/meson.build
@@ -234,10 +234,10 @@ if spice_gtk_has_polkit
              include_directories : spice_gtk_include,
              install : true,
              install_dir : spice_gtk_usb_acl_helper_dir,
-             install_mode : ['rwsr-xr-x', 'root', 'root'],
              dependencies : spice_acl_deps,
              pie : spice_gtk_has_pie
             )
+  meson.add_install_script('../build-aux/setcap-or-suid', spice_gtk_usb_acl_helper_dir / 'spice-client-glib-usb-acl-helper', 'cap_fowner+ep')
 endif

More information about the Spice-commits mailing list