Merge branch 'develop'

SecConNet · Oct 24, 2022 · 6e70c21 · 6e70c21
2 parents 960e877 + 8bd39c6
commit 6e70c21
Show file tree

Hide file tree

Showing 8 changed files with 107 additions and 131 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -0,0 +1,27 @@
+FROM ubuntu:20.04
+
+RUN \
+    apt-get update && \
+    apt-get install -y gcc make iproute2 wireguard-tools libcap2 libcap2-bin libcap-dev && \
+    apt-get clean && \
+    rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
+
+RUN \
+    mkdir /usr/local/src/net-admin-helper && \
+    mkdir /usr/local/src/net-admin-helper/bin
+
+COPY Makefile /usr/local/src/net-admin-helper/Makefile
+COPY config.h /usr/local/src/net-admin-helper/config.h
+COPY src /usr/local/src/net-admin-helper/src
+
+RUN \
+    cd /usr/local/src/net-admin-helper && \
+    make && make setcap && \
+    mv /usr/local/src/net-admin-helper/bin/net-admin-helper /usr/local/bin/net-admin-helper
+
+RUN rm -r /usr/local/src/net-admin-helper
+
+RUN apt-get remove -y gcc make libcap-dev && apt-get -y autoremove
+
+USER nobody
+
diff --git a/Makefile b/Makefile
@@ -18,12 +18,21 @@ setcap: bin/net-admin-helper
 	chown root:root bin/net-admin-helper
 	chmod 755 bin/net-admin-helper
 	# Give it the needed capabilities
-	setcap 'cap_net_admin,cap_sys_ptrace,cap_sys_admin=p' bin/net-admin-helper
+	setcap 'cap_net_admin,cap_sys_ptrace,cap_sys_admin,cap_ipc_lock=p' bin/net-admin-helper
+
+
+export DOCKER_BUILDKIT = 1
+
+.PHONY: docker
+docker:
+	docker build . -t net-admin-helper:latest
+	docker save net-admin-helper:latest >bin/net-admin-helper.tar
 
 
 .PHONY: clean
 clean:
-	rm -f bin/*
+	-rm -f bin/*
+	-docker rmi net-admin-helper:latest
 
 
 bin/main.o: config.h src/container_wireguard.h

diff --git a/config.h.example b/config.h.example
@@ -11,11 +11,12 @@
 #define WG "/usr/bin/wg"
 
 
-/** Enable tasks.
- *
- * This selects tasks to enable. To enable a task, remove the `// ` at the start
- * of its line.
- */
+/** Settings for container WireGuard */
+
+// Device name prefix, use e.g. your application name
+#define CWG_PREFIX "cwg"
+
+// To enable a task, remove the `// ` at the start of its line.
 // #define ENABLE_CWG_CREATE
 // #define ENABLE_CWG_CONNECT
 // #define ENABLE_CWG_DESTROY

diff --git a/src/capabilities.c b/src/capabilities.c
@@ -65,84 +65,17 @@ int set_ambient_capabilities() {
 }
 
 
-/** Enable CAP_SYS_PTRACE so we can access a container network namespace. */
-int enable_cap_sys_ptrace() {
+/** Enable a specific capability. */
+int enable_cap(cap_value_t cap) {
     cap_t caps;
-    cap_value_t cap_list[] = {CAP_SYS_PTRACE};
 
     caps = cap_get_proc();
     if (caps == NULL) {
         perror("Error getting capabilities");
         goto exit_0;
     }
 
-    if (cap_set_flag(caps, CAP_EFFECTIVE, 1, cap_list, CAP_SET) != 0) {
-        perror("Error setting effective capabilities");
-        goto exit_0;
-    }
-
-    if (cap_set_proc(caps) != 0) {
-        perror("Error setting capabilities");
-        goto exit_0;
-    }
-
-    if (cap_free(caps) != 0) {
-        perror("Error freeing capabilities");
-        goto exit_0;
-    }
-
-    return 0;
-
-exit_0:
-    return -1;
-}
-
-
-/** Disable CAP_SYS_PTRACE. */
-int disable_cap_sys_ptrace() {
-    cap_t caps;
-    cap_value_t cap_list[] = {CAP_SYS_PTRACE};
-
-    caps = cap_get_proc();
-    if (caps == NULL) {
-        perror("Error getting capabilities");
-        goto exit_0;
-    }
-
-    if (cap_set_flag(caps, CAP_EFFECTIVE, 1, cap_list, CAP_CLEAR) != 0) {
-        perror("Error setting effective capabilities");
-        goto exit_0;
-    }
-
-    if (cap_set_proc(caps) != 0) {
-        perror("Error setting capabilities");
-        goto exit_0;
-    }
-
-    if (cap_free(caps) != 0) {
-        perror("Error freeing capabilities");
-        goto exit_0;
-    }
-
-    return 0;
-
-exit_0:
-    return -1;
-}
-
-
-/** Enable CAP_SYS_ADMIN so we can enter a container network namespace. */
-int enable_cap_sys_admin() {
-    cap_t caps;
-    cap_value_t cap_list[] = {CAP_SYS_ADMIN};
-
-    caps = cap_get_proc();
-    if (caps == NULL) {
-        perror("Error getting capabilities");
-        goto exit_0;
-    }
-
-    if (cap_set_flag(caps, CAP_EFFECTIVE, 1, cap_list, CAP_SET) != 0) {
+    if (cap_set_flag(caps, CAP_EFFECTIVE, 1, &cap, CAP_SET) != 0) {
         perror("Error setting effective capabilities");
         goto exit_0;
     }
@@ -164,17 +97,17 @@ int enable_cap_sys_admin() {
 }
 
 
-int disable_cap_sys_admin() {
+/** Disable a specific capability. */
+int disable_cap(cap_value_t cap) {
     cap_t caps;
-    cap_value_t cap_list[] = {CAP_SYS_ADMIN};
 
     caps = cap_get_proc();
     if (caps == NULL) {
         perror("Error getting capabilities");
         goto exit_0;
     }
 
-    if (cap_set_flag(caps, CAP_EFFECTIVE, 1, cap_list, CAP_CLEAR) != 0) {
+    if (cap_set_flag(caps, CAP_EFFECTIVE, 1, &cap, CAP_CLEAR) != 0) {
         perror("Error setting effective capabilities");
         goto exit_0;
     }

diff --git a/src/capabilities.h b/src/capabilities.h
@@ -1,5 +1,7 @@
 #pragma once
 
+#include <sys/capability.h>
+
 
 /** Set ambient capabilities.
  *
@@ -11,30 +13,17 @@
 int set_ambient_capabilities();
 
 
-/** Enable CAP_SYS_PTRACE so we can access a container's network namespace.
- *
- * @return 0 on success, -1 on failure.
- */
-int enable_cap_sys_ptrace();
-
-
-/** Disable CAP_SYS_PTRACE again.
+/** Enable the given capability.
  *
  * @return 0 on success, -1 on failure.
  */
-int disable_cap_sys_ptrace();
+int enable_cap(cap_value_t cap);
 
 
-/** Enable CAP_SYS_ADMIN so we can switch namespaces.
+/** Disable the given capability.
  *
  * @return 0 on success, -1 on failure.
  */
-int enable_cap_sys_admin();
-
+int disable_cap(cap_value_t cap);
 
-/** Disable CAP_SYS_ADMIN again.
- *
- * @return 0 on success, -1 on failure.
- */
-int disable_cap_sys_admin();
 
diff --git a/src/container_wireguard.c b/src/container_wireguard.c
@@ -5,6 +5,7 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
+#include <sys/capability.h>
 #include <sys/stat.h>
 #include <sys/types.h>
 #include <unistd.h>
@@ -140,19 +141,19 @@ static int cwg_set_ns(const char * netns_pid) {
     char netns_path[32];
     snprintf(netns_path, 32, "/proc/%s/ns/net", netns_pid);
 
-    enable_cap_sys_ptrace();
+    enable_cap(CAP_SYS_PTRACE);
     int netns_fd = open(netns_path, O_RDONLY | O_NONBLOCK);
-    disable_cap_sys_ptrace();
+    disable_cap(CAP_SYS_PTRACE);
 
     if (netns_fd == -1) {
         fprintf(stderr, "When opening %s\n", netns_path);
         perror("Could not open network namespace\n");
         goto exit_fail;
     }
 
-    enable_cap_sys_admin();
+    enable_cap(CAP_SYS_ADMIN);
     int err = setns(netns_fd, CLONE_NEWNET);
-    disable_cap_sys_admin();
+    disable_cap(CAP_SYS_ADMIN);
 
     if (err) {
         fprintf(stderr, "Could not enter namespace\n");

diff --git a/src/main.c b/src/main.c
@@ -1,15 +1,16 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
+#include <sys/capability.h>
 #include <sys/mman.h>
 #include <sys/types.h>
 
 #include "config.h"
 
+#include "capabilities.h"
 #include "container_wireguard.h"
 
 
-
 void usage(const char * cmd) {
     fprintf(stderr, "Usage: %s <command> <arguments>\n\n", cmd);
 
@@ -33,7 +34,9 @@ int main(int argc, char * argv[]) {
 
     // Ensure private keys and the like don't get swapped out to a potentially
     // unencrypted swap partition.
-    mlockall(MCL_FUTURE);
+    enable_cap(CAP_IPC_LOCK);
+    mlockall(MCL_CURRENT | MCL_FUTURE);
+    disable_cap(CAP_IPC_LOCK);
 
     DISPATCH_CWG_CREATE(argv[1]);
     DISPATCH_CWG_CONNECT(argv[1]);