Hello
I wonder whether it is possible to mount selinuxfs or read pci on unprivileged container.
I’ve been trying to run some low-level-related applications on an unprivileged container.
(It can run on a privileged container.)
When I started this,even on an unprivileged container, I assumed that applications could get a privileged escalation by using capabilities.
Just simple concept…
If user could do something, unprivileged container mapped by subuid/subgid of user could do them.
But after reading the next article and kernel code, I’ve realized that an unprivileged container could not be used for an application which requires a privileged escalation.
No matter what user’s capabilities are, a new user namespace is supposed to get a complete set of capabilities. however it doesn’t seem to allow to get a privileged escalation in the point of host’s view.
article
- http://man7.org/linux/man-pages/man7/user_namespaces.7.html
- https://brauner.github.io/2018/08/05/unprivileged-file-capabilities.html
- Unprivileged container and capabilities
- https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8db6c34f1d
kernel code shows capable() is supposed to check capabilities only for init_user_ns.
bool capable(int cap)
{
return ns_capable(&init_user_ns, cap);
}
So when capable() is called directly instead of ns_capable(), user_namespace’s capabilities seems to be useless.
For example, when it comes to system call for pciconfig_write or pciconfig_read, it seems to be impossible that unprivileged container does those systemcalls because there is a “capable(CAP_SYS_ADMIN)” .
In order to mount selinuxfs or do mknod, is it enough to apply the namespaced file capabilities mentioned above ?
Current version of kernel is 4.9.x and the name-spaced file capabilities is not applied.
The test result on unprivileged container is like the next.
lxc-u0@arm:~$ lxc-create --version
3.0.3
lxc-u0@arm:~$ id
uid=10000(lxc-u0) gid=10000(lxc-u0) groups=10000(lxc-u0),20000(lxc)
lxc-u0@arm:~$ grep cap /tmp/lxc/b1_lxc-u0/config
#lxc.cap.drop = sys_module mac_admin mac_override sys_time
lxc-u0@arm:~$ ps axf | grep -A 4 lxc-u[0]
1431 ? Ss 0:00 [lxc monitor] /tmp/lxc b1_lxc-u0
1436 pts/1 Ss+ 0:00 \_ /sbin/init
lxc-u0@arm:~$
lxc-u0@arm:~$ cat /proc/1436/status | grep -i cap
CapInh: 0000003fffffffff
CapPrm: 0000003fffffffff
CapEff: 0000003fffffffff
CapBnd: 0000003fffffffff
CapAmb: 0000003fffffffff
lxc-u0@arm:~$ cat /proc/1436/status | grep -i -E "(uid|cap)"
Uid: 165536 165536 165536 165536
CapInh: 0000003fffffffff
CapPrm: 0000003fffffffff
CapEff: 0000003fffffffff
CapBnd: 0000003fffffffff
CapAmb: 0000003fffffffff
lxc-u0@arm:~$ cat /proc/self/status | grep -i -E "(uid|cap)"
Uid: 10000 10000 10000 10000
CapInh: 0000003fffe3ffff
CapPrm: 0000000000000000
CapEff: 0000000000000000
CapBnd: 0000003fffffffff
CapAmb: 0000000000000000
lxc-u0@arm:~$ lxc-attach -nb1_lxc-u0 --clear-env -P/tmp/lxc -- /bin/cat /proc/self/status | grep -i -E "(uid|cap)"
Uid: 0 0 0 0
CapInh: 0000000000000000
CapPrm: 0000003fffffffff
CapEff: 0000003fffffffff
CapBnd: 0000003fffffffff
CapAmb: 0000000000000000
lxc-u0@arm:~$ lxc-attach -nb1_lxc-u0 --clear-env -P/tmp/lxc
/ #
/ # id
uid=0(root) gid=0(root)
/ #
/ # mkdir aa
/ # mount -t tmpfs none aa
/ # mount | grep aa
none on /aa type tmpfs (rw,relatime,uid=165536,gid=165536)
/ #
/ #
/ # mkdir bb
/ # mount -t selinuxfs none bb
mount: permission denied (are you root?)
/ #
/ # /usr/sbin/mount.util-linux -t selinuxfs none bb
mount.util-linux: permission denied
/ #
/ # /usr/sbin/getcap /usr/sbin/mount.util-linux
/ # /usr/sbin/getfattr -d -m . /usr/sbin/mount.util-linux
/ #
/ #
/ # echo "root do setcap"
root do setcap
/ #
/ # /usr/sbin/getcap /usr/sbin/mount.util-linux
/usr/sbin/mount.util-linux = cap_sys_admin,cap_mac_override,cap_mac_admin+ei
/ # /usr/sbin/getfattr -d -m . /usr/sbin/mount.util-linux
getfattr: Removing leading '/' from absolute path names
# file: usr/sbin/mount.util-linux
security.capability=0sAQAAAgAAAAAAACAAAAAAAAMAAAA=
/ #
/ # /usr/sbin/mount.util-linux -t selinuxfs none bb
mount.util-linux: permission denied
/ #
/ #
/ # umount aa
/ #
/ #
/ #
/ #
/ # /usr/sbin/mount.util-linux -t devtmpfs none aa
mount.util-linux: permission denied
/ #
/ #
/ #
/ # /bin/busybox mknod vbb b 254 16
mknod: vbb: Operation not permitted
/ # /usr/sbin/getcap /bin/busybox
/ #
/ # echo "root do setcap"
root do setcap
/ # /usr/sbin/getcap /bin/busybox
/bin/busybox = cap_sys_admin,cap_mknod+eip
/ #
/ # /bin/busybox mknod vbb b 254 16
mknod: vbb: Operation not permitted
/ #
/ # uname -r
4.9.13
/ #
Happy New Year !!
Thanks