Project

General

Profile

Actions

Bug #13788

closed

restart of privilege-aware zone init fails

Added by Andy Fiddaman about 1 month ago. Updated 29 days ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
kernel
Start date:
Due date:
% Done:

100%

Estimated time:
Difficulty:
Medium
Tags:
Gerrit CR:

Description

Found whilst working on making bhyve privilege aware (#13764) and using security flags (#13786) on OmniOS bloody.
In common with SmartOS, OmniOS bloody runs bhyve in a non global zone with bhyve as the init process, see below.

bloody# ptree -z bhyvetest
101086 zsched
  101168 bhyve-bhyvetest -k /etc/bhyve.cfg

bloody# ppriv -S 101168
101168: bhyve-bhyvetest -k /etc/bhyve.cfg
flags = PRIV_AWARE
        E: basic_test,file_read,proc_clock_highres
        I: basic
        P: basic_test,file_read,file_write,proc_clock_highres
        L: basic,file_dac_read,net_rawaccess,proc_clock_highres,sys_admin,sys_mount

bloody# psecflags 101168
101168: bhyve-bhyvetest -k /etc/bhyve.cfg
        E:      aslr
        I:      none
        L:      none
        U:      aslr,forbidnullmap,noexecstack

The problem is that the zone's init process is restarted by exec() ing a new copy on top of itself, after fixing up a few things to make it look (mostly) like a new process - the comment at https://github.com/illumos/illumos-gate/blob/master/usr/src/uts/common/os/exit.c#L143 includes:

Anything else that exec(2) says would be inherited, but would affect the execution of init, needs to be reset.

The current code does not reset privileges or security flags. That means that when init exits having dropped privileges such as proc_exec, it cannot be restarted and the zone shuts down, regardless of whether restartinit is enabled.

May  6 11:58:03 bloody genunix: [ID 729207 kern.warning] WARNING: init(1M) for zone bhyvetest (pid 7867) exited with status 0: restarting automatically
May  6 11:58:03 bloody genunix: [ID 864859 kern.notice] NOTICE: bhyve[7867]: missing privilege "proc_exec" (euid = 0, syscall = 59) needed at exec_common+0x1ce
May  6 11:58:03 bloody genunix: [ID 776775 kern.warning] WARNING: failed to restart init(1M) for zone bhyvetest (pid 7867, err=1): zoneadm(1M) boot required

Related issues

Related to illumos gate - Feature #13764: bhyve could reduce privileges(5)ClosedAndy Fiddaman

Actions
Actions #1

Updated by Andy Fiddaman about 1 month ago

  • Description updated (diff)
Actions #2

Updated by Electric Monk about 1 month ago

  • Gerrit CR set to 1473
Actions #3

Updated by Andy Fiddaman about 1 month ago

Actions #4

Updated by Andy Fiddaman about 1 month ago

This change has been tested in OmniOS bloody with a range of different zone brands, including bhyve using a privilege-aware init (where the original problem occured)

I also tested modifying the privileges on a native zone's init, then killing it and checking that privileges had been reverted as expected - this example is from testing under DEBUG bits:

bloody# ppriv 101035
101035: /sbin/init
flags = <none>
        E: basic,!proc_exec
        I: basic
        P: basic,!proc_exec
        L: basic,!proc_exec
bloody# kill -9 101035
May  7 13:11:03 bloody genunix: [ID 729207 kern.warning] WARNING: init(1M) for zone sparse (pid 101035) exited on fatal signal 9: restarting automatically
bloody# ppriv -S 101035
101035: /sbin/init
flags = <none>
        E: basic,contract_event,contract_identity,contract_observer,file_chown,file_chown_self,file_dac_execute,file_dac_read,file_dac_search,file_dac_write,file_owner,file_setid,ipc_dac_read,ipc_dac_write,ipc_owner,net_bindmlp,net_icmpaccess,net_mac_aware,net_observability,net_privaddr,net_rawaccess,proc_audit,proc_chroot,proc_lock_memory,proc_owner,proc_setid,proc_taskid,sys_acct,sys_admin,sys_audit,sys_ip_config,sys_iptun_config,sys_mount,sys_nfs,sys_ppp_config,sys_resource,sys_smb
        I: basic
        P: basic,contract_event,contract_identity,contract_observer,file_chown,file_chown_self,file_dac_execute,file_dac_read,file_dac_search,file_dac_write,file_owner,file_setid,ipc_dac_read,ipc_dac_write,ipc_owner,net_bindmlp,net_icmpaccess,net_mac_aware,net_observability,net_privaddr,net_rawaccess,proc_audit,proc_chroot,proc_lock_memory,proc_owner,proc_setid,proc_taskid,sys_acct,sys_admin,sys_audit,sys_ip_config,sys_iptun_config,sys_mount,sys_nfs,sys_ppp_config,sys_resource,sys_smb
        L: basic,contract_event,contract_identity,contract_observer,file_chown,file_chown_self,file_dac_execute,file_dac_read,file_dac_search,file_dac_write,file_owner,file_setid,ipc_dac_read,ipc_dac_write,ipc_owner,net_bindmlp,net_icmpaccess,net_mac_aware,net_observability,net_privaddr,net_rawaccess,proc_audit,proc_chroot,proc_lock_memory,proc_owner,proc_setid,proc_taskid,sys_acct,sys_admin,sys_audit,sys_ip_config,sys_iptun_config,sys_mount,sys_nfs,sys_ppp_config,sys_resource,sys_smb
Actions #5

Updated by Electric Monk 29 days ago

  • Status changed from In Progress to Closed
  • % Done changed from 0 to 100

git commit 2851030d1db57fd5488bc19a8da8147d79711654

commit  2851030d1db57fd5488bc19a8da8147d79711654
Author: Andy Fiddaman <omnios@citrus-it.co.uk>
Date:   2021-05-24T18:14:16.000Z

    13788 restart of privilege-aware zone init fails
    Reviewed by: Gordon Ross <gordon.w.ross@gmail.com>
    Approved by: Robert Mustacchi <rm@fingolfin.org>

Actions

Also available in: Atom PDF