On Fri, Oct 14, 2022 at 02:12:26PM +1100, David Gibson wrote:On Thu, Oct 13, 2022 at 06:34:06PM +0200, Stefano Brivio wrote: > Even if CAP_NET_BIND_SERVICE is granted, we'll lose the capability in > the target user namespace as we isolate the process, which means > we're unable to bind to low ports at that point. > > Bind inbound ports, and only those, before isolate_user(). Keep the > handling of outbound ports (for pasta mode only) after the setup of > the namespace, because that's where we'll bind them. > > To this end, initialise the netlink socket for the init namespace > before isolate_user() as well, as we actually need to know the > addresses of the upstream interface before binding ports, in case > they're not explicitly passed by the user. > > As we now call nl_sock_init() twice, checking its return code from > conf() twice looks a bit heavy: make it exit(), instead, as we > can't do much if we don't have netlink sockets. > > While at it: > > - move the v4_only && v6_only options check just after the first > option processing loop, as this is more strictly related to > option parsing proper > > - update the man page, explaining that CAP_NET_BIND_SERVICE is > *not* the preferred way to bind ports, because passt and pasta > can be abused to allow other processes to make effective usage > of it. Add a note about the recommended sysctl instead > > Reported-by: David Gibson <david(a)gibson.dropbear.id.au> > Signed-off-by: Stefano Brivio <sbrivio(a)redhat.com>Sorry, sent the previous reply before I'd finished.> -If the port forwarding configuration requires binding to port numbers lower than > -1024, \fBpasst\fR and \fBpasta\fR will try to bind to them, but will fail if not > -running as root, or without the \fICAP_NET_BIND_SERVICE\fR Linux capability, see > -\fBservices\fR(5) and \fBcapabilities\fR(7). To grant the > -\fICAP_NET_BIND_SERVICE\fR capability to passt, you can issue, as root: > +If the port forwarding configuration requires binding to ports with numbers > +lower than 1024, \fBpasst\fR and \fBpasta\fR will try to bind to them, but will > +fail, unless, either: > + > +.IP \(bu 2 > +the \fIsys.net.ipv4.ip_unprivileged_port_start\fR sysctl is set to the number > +of the lowest port \fBpasst\fR and \fBpasta\fR need. For example, as root: > + > +.nf > + sysctl -w net.ipv4.ip_unprivileged_port_start=443 > +.fi > + > +\fBNote\fR: this is the recommended way of enabling \fBpasst\fR and \fBpasta\fR > +to bind to ports with numbers below 1024. > + > +.IP \(bu > +or the \fICAP_NET_BIND_SERVICE\fR Linux capability is granted, see > +\fBservices\fR(5) and \fBcapabilities\fR(7). > + > +This is, in general, \fBnot the recommended way\fR, because \fBpasst\fR and > +\fBpasta\fR might be used as vector to effectively use this capability from > +another process. > + > +However, if your environment is sufficiently controlled by an LSM (Linux > +Security Module) such as \fIAppArmor\fR, \fISELinux\fR, \fISmack\fR or > +\fITOMOYO\fR, and no other processes can interact in such a way in virtue of > +this, granting this capability to \fBpasst\fR and \fBpasta\fR only can > +effectively prevent other processes from utilising it. > + > +Note that this will not work for automatic detection and forwarding of ports > +with \fBpasta\fR, because \fBpasta\fR will relinquish this capability at > +runtime. > + > +To grant this capability, you can issue, as root: > + > +.nf > + setcap 'cap_net_bind_service=+ep' $(which passt) > +.fi > > -.RS > -setcap 'cap_net_bind_service=+ep' $(which passt) > .REThese likely won't be enough, since for most users the caps on the passt.avx2 binary are the ones that will matter. -- David Gibson | I'll have my music baroque, and my code david AT gibson.dropbear.id.au | minimalist, thank you. NOT _the_ _other_ | _way_ _around_! http://www.ozlabs.org/~dgibson