Merge !896: daemon: support dropping capabilities

a39c478e · Vladimír Čunát · 9a0835d1 · ed8420e4 · a39c478e · a39c478e
Commit a39c478e authored 5 years ago by Vladimír Čunát
--- a/NEWS
+++ b/NEWS
@@ -14,6 +14,7 @@ Improvements
 - increase file-descriptor count limit to maximum allowed value (hard limit)
 - watchdog module: support testing a DNS query (and switch C -> lua; !878)
 - performance: use sendmmsg syscall towards clients by default (!877)
+- daemon now attempts to drop all capabilities (!896)


 Knot Resolver 4.2.2 (2019-10-07)

--- a/daemon/main.c
+++ b/daemon/main.c
@@ -40,6 +40,10 @@
 #include <sys/resource.h>
 #include <unistd.h>

+#ifdef ENABLE_CAP_NG
+#include <cap-ng.h>
+#endif
+
 #include <lua.h>
 #include <uv.h>
 #if SYSTEMD_VERSION > 0
@@ -661,6 +665,25 @@ static int start_listening(struct network *net, flagged_fd_array_t *fds) {
 	return some_bad_ret;
 }

+/* Drop POSIX 1003.1e capabilities. */
+static void drop_capabilities(void)
+{
+#ifdef ENABLE_CAP_NG
+	/* Drop all capabilities. */
+	if (capng_have_capability(CAPNG_EFFECTIVE, CAP_SETPCAP)) {
+		capng_clear(CAPNG_SELECT_BOTH);
+
+		/* Apply. */
+		if (capng_apply(CAPNG_SELECT_BOTH) < 0) {
+			kr_log_error("[system] failed to set process capabilities: %s\n",
+			          strerror(errno));
+		}
+	} else {
+		kr_log_info("[system] process not allowed to set capabilities, skipping\n");
+	}
+#endif /* ENABLE_CAP_NG */
+}
+
 int main(int argc, char **argv)
 {
 	struct args args;
@@ -855,6 +878,7 @@ int main(int argc, char **argv)
 			goto cleanup;
 		}
 	}
+	drop_capabilities();
 	if (engine_start(&engine) != 0) {
 		ret = EXIT_FAILURE;
 		goto cleanup;

--- a/daemon/meson.build
+++ b/daemon/meson.build
@@ -41,6 +41,7 @@ kresd_deps = [
  luajit,
  gnutls,
  libsystemd,
+  capng,
 ]



--- a/distro/arch/PKGBUILD
+++ b/distro/arch/PKGBUILD
@@ -22,6 +22,7 @@ depends=(
    'lua51-socket'
    'luajit'
    'systemd'
+    'libcap-ng'
 )
 optdepends=(
    'lua51-basexx: experimental_dot_auth module',

--- a/distro/deb/control
+++ b/distro/deb/control
@@ -13,6 +13,7 @@ Build-Depends:
 liblmdb-dev,
 libluajit-5.1-dev,
 libsystemd-dev (>= 227) [linux-any],
+ libcap-ng-dev,
 libuv1-dev,
 luajit,
 pkg-config,

--- a/distro/rpm/knot-resolver.spec
+++ b/distro/rpm/knot-resolver.spec
@@ -44,6 +44,7 @@ BuildRequires:  pkgconfig(libknot) >= 2.8
 BuildRequires:  pkgconfig(libzscanner) >= 2.8
 BuildRequires:  pkgconfig(libdnssec) >= 2.8
 BuildRequires:  pkgconfig(libsystemd)
+BuildRequires:  pkgconfig(libcap-ng)
 BuildRequires:  pkgconfig(libuv)
 BuildRequires:  pkgconfig(luajit) >= 2.0


--- a/etc/config/meson.build
+++ b/etc/config/meson.build
@@ -16,10 +16,7 @@ net.listen('::1', 853, { kind = 'tls' })
 -- net.listen('127.0.0.1', 44353, { kind = 'doh' })
 -- net.listen('::1', 44353, { kind = 'doh' })
 -- net.listen('127.0.0.1', 8453, { kind = 'webmgmt' })
-- net.listen('::1', 8453, { kind = 'webmgmt' })
-
-- Drop root privileges
-user('@0@', '@1@')'''.format(user, group)
+-- net.listen('::1', 8453, { kind = 'webmgmt' })'''
 endif



--- a/meson.build
+++ b/meson.build
@@ -30,7 +30,6 @@ luajit = dependency('luajit')
 # NOTE avoid using link_args for luajit due to a macOS issue
 # https://github.com/Homebrew/homebrew-core/issues/37169
 luajit_inc = luajit.partial_dependency(compile_args: true, includes: true)
-openssl = dependency('openssl', required: false)
 message('------------------------------')


@@ -82,7 +81,12 @@ verbose_log = get_option('verbose_log') == 'enabled' or get_option('verbose_log'
 user = get_option('user')
 group = get_option('group')

-## sendmmsg
+## Optional dependencies
+message('--- optional dependencies ---')
+capng = dependency('libcap-ng', required: false)
+openssl = dependency('openssl', required: false)
+
+### sendmmsg
 has_sendmmsg = meson.get_compiler('c').has_function('sendmmsg',
  prefix: '#define _GNU_SOURCE\n#include <sys/socket.h>')
 if get_option('sendmmsg') == 'enabled' and not has_sendmmsg
@@ -93,8 +97,7 @@ else
  sendmmsg = get_option('sendmmsg') == 'enabled'
 endif

-## Systemd
-message('--- systemd socket activation ---')
+### Systemd
 libsystemd = dependency('libsystemd', required: false)
 systemd_files = get_option('systemd_files')
 if systemd_files == 'enabled' and (
@@ -148,6 +151,7 @@ conf_data.set('SYSTEMD_VERSION',
  libsystemd.found() ? libsystemd.version().to_int() : -1)
 conf_data.set('NOVERBOSELOG', not verbose_log)
 conf_data.set('ENABLE_SENDMMSG', sendmmsg.to_int())
+conf_data.set('ENABLE_CAP_NG', capng.found())

 kresconfig = configure_file(
  output: 'kresconfig.h',

--- a/systemd/nosocket/kresd@.service.in
+++ b/systemd/nosocket/kresd@.service.in
@@ -11,6 +11,10 @@ After=network-online.target
 Type=notify
 WorkingDirectory=@systemd_work_dir@
 ExecStart=@sbin_dir@/kresd --config=@etc_dir@/kresd.conf --forks=1
+User=@user@
+Group=@group@
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETPCAP
+AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_SETPCAP
 TimeoutStopSec=10s
 WatchdogSec=10s
 Restart=on-abnormal