Project

General

Profile

Actions
Copy link

Bug #13788

closed

restart of privilege-aware zone init fails

Added by Andy Fiddaman about 2 years ago. Updated about 2 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Andy Fiddaman
Category:
kernel
Start date:
Due date:
% Done:

100%

Estimated time:
Difficulty:
Medium
Tags:
Gerrit CR:
1473
External Bug:

Description

Found whilst working on making bhyve privilege aware (#13764) and using security flags (#13786) on OmniOS bloody.
In common with SmartOS, OmniOS bloody runs bhyve in a non global zone with bhyve as the init process, see below.

bloody# ptree -z bhyvetest
101086 zsched
  101168 bhyve-bhyvetest -k /etc/bhyve.cfg

bloody# ppriv -S 101168
101168: bhyve-bhyvetest -k /etc/bhyve.cfg
flags = PRIV_AWARE
        E: basic_test,file_read,proc_clock_highres
        I: basic
        P: basic_test,file_read,file_write,proc_clock_highres
        L: basic,file_dac_read,net_rawaccess,proc_clock_highres,sys_admin,sys_mount

bloody# psecflags 101168
101168: bhyve-bhyvetest -k /etc/bhyve.cfg
        E:      aslr
        I:      none
        L:      none
        U:      aslr,forbidnullmap,noexecstack

The problem is that the zone's init process is restarted by exec() ing a new copy on top of itself, after fixing up a few things to make it look (mostly) like a new process - the comment at https://github.com/illumos/illumos-gate/blob/master/usr/src/uts/common/os/exit.c#L143 includes:

Anything else that exec(2) says would be inherited, but would affect the execution of init, needs to be reset.

The current code does not reset privileges or security flags. That means that when init exits having dropped privileges such as proc_exec, it cannot be restarted and the zone shuts down, regardless of whether restartinit is enabled.

May  6 11:58:03 bloody genunix: [ID 729207 kern.warning] WARNING: init(1M) for zone bhyvetest (pid 7867) exited with status 0: restarting automatically
May  6 11:58:03 bloody genunix: [ID 864859 kern.notice] NOTICE: bhyve[7867]: missing privilege "proc_exec" (euid = 0, syscall = 59) needed at exec_common+0x1ce
May  6 11:58:03 bloody genunix: [ID 776775 kern.warning] WARNING: failed to restart init(1M) for zone bhyvetest (pid 7867, err=1): zoneadm(1M) boot required

Related issues

Related to illumos gate - Feature #13764: bhyve could reduce privileges(5)ClosedAndy Fiddaman

Actions
Actions
Copy link
 #1

Updated by Andy Fiddaman about 2 years ago

  • Description updated (diff)
Actions
Copy link
 #2

Updated by Electric Monk about 2 years ago

  • Gerrit CR set to 1473
Actions
Copy link
 #3

Updated by Andy Fiddaman about 2 years ago

Actions
Copy link
 #4

Updated by Andy Fiddaman about 2 years ago

This change has been tested in OmniOS bloody with a range of different zone brands, including bhyve using a privilege-aware init (where the original problem occured)

I also tested modifying the privileges on a native zone's init, then killing it and checking that privileges had been reverted as expected - this example is from testing under DEBUG bits:

bloody# ppriv 101035
101035: /sbin/init
flags = <none>
        E: basic,!proc_exec
        I: basic
        P: basic,!proc_exec
        L: basic,!proc_exec
bloody# kill -9 101035
May  7 13:11:03 bloody genunix: [ID 729207 kern.warning] WARNING: init(1M) for zone sparse (pid 101035) exited on fatal signal 9: restarting automatically
bloody# ppriv -S 101035
101035: /sbin/init
flags = <none>
        E: basic,contract_event,contract_identity,contract_observer,file_chown,file_chown_self,file_dac_execute,file_dac_read,file_dac_search,file_dac_write,file_owner,file_setid,ipc_dac_read,ipc_dac_write,ipc_owner,net_bindmlp,net_icmpaccess,net_mac_aware,net_observability,net_privaddr,net_rawaccess,proc_audit,proc_chroot,proc_lock_memory,proc_owner,proc_setid,proc_taskid,sys_acct,sys_admin,sys_audit,sys_ip_config,sys_iptun_config,sys_mount,sys_nfs,sys_ppp_config,sys_resource,sys_smb
        I: basic
        P: basic,contract_event,contract_identity,contract_observer,file_chown,file_chown_self,file_dac_execute,file_dac_read,file_dac_search,file_dac_write,file_owner,file_setid,ipc_dac_read,ipc_dac_write,ipc_owner,net_bindmlp,net_icmpaccess,net_mac_aware,net_observability,net_privaddr,net_rawaccess,proc_audit,proc_chroot,proc_lock_memory,proc_owner,proc_setid,proc_taskid,sys_acct,sys_admin,sys_audit,sys_ip_config,sys_iptun_config,sys_mount,sys_nfs,sys_ppp_config,sys_resource,sys_smb
        L: basic,contract_event,contract_identity,contract_observer,file_chown,file_chown_self,file_dac_execute,file_dac_read,file_dac_search,file_dac_write,file_owner,file_setid,ipc_dac_read,ipc_dac_write,ipc_owner,net_bindmlp,net_icmpaccess,net_mac_aware,net_observability,net_privaddr,net_rawaccess,proc_audit,proc_chroot,proc_lock_memory,proc_owner,proc_setid,proc_taskid,sys_acct,sys_admin,sys_audit,sys_ip_config,sys_iptun_config,sys_mount,sys_nfs,sys_ppp_config,sys_resource,sys_smb
Actions
Copy link
 #5

Updated by Electric Monk about 2 years ago

  • Status changed from In Progress to Closed
  • % Done changed from 0 to 100

git commit 2851030d1db57fd5488bc19a8da8147d79711654

commit  2851030d1db57fd5488bc19a8da8147d79711654
Author: Andy Fiddaman <omnios@citrus-it.co.uk>
Date:   2021-05-24T18:14:16.000Z

    13788 restart of privilege-aware zone init fails
    Reviewed by: Gordon Ross <gordon.w.ross@gmail.com>
    Approved by: Robert Mustacchi <rm@fingolfin.org>

Actions
Copy link

Also available in: Atom PDF