Created attachment 306749 [details] Working userspace code using raw syscalls The implementation of cap_iab_set_proc sets the “raising” flag if (1) any non-inheritable, non-permitted flag is being added to the inheritable set, (2) any flag is being removed from the bounding set, or (3) any flag is being added to the ambient set. It then tries to add CAP_SETPCAP to the effective set temporarily if this flag is set, before doing its real work. According to the capabilities(7) man page, CAP_SETPCAP is needed to do (1) and (2), but not (3). Experimentation (on kernel 6.6.38) confirms this to be the case. Attached are C programs that should be run with an fscap adding some capability to their permitted set (e.g. “capset cap_net_raw=p works” or “capset cap_net_raw=p fails”), as a non-root user. They try to add that capability to their inheritable set, then to their ambient set. “works.c” uses raw syscalls to do this and works fine (this can easily be verified when it hits the pause() call by examining its /proc/pid/status). “fails.c” uses libcap to do the same thing and fails, because it doesn’t have CAP_SETPCAP. “ambient-without-setpcap.patch” fixes this (building libcap with this patch allows “fails” to work as well), though I don’t know my history well enough to know whether some ancient version of Linux actually needed this logic in its original form.
Created attachment 306750 [details] Failing userspace code using libcap calls
Created attachment 306751 [details] Fix to libcap
Yes, a simple way to confirm this check isn't needed is: $ sudo capsh --caps=cap_setuid=ip --addamb=cap_setuid --current
Should have included the output to the above (works): $ sudo capsh --caps=cap_setuid=ip --addamb=cap_setuid --current Current: cap_setuid=ip Current IAB: ^cap_setuid Similarly, a simple way to confirm the bug is (fails): $ sudo capsh --caps=cap_setuid=p --current --iab=^cap_setuid --current Current: cap_setuid=p Current IAB: unable to set IAB tuple: Operation not permitted
This may not discount your examples (I’m not really familiar with capsh), but my example was for invoking as a non-root user, just to clarify.
Also, relatedly, the man page for cap_get_proc incorrectly claims that cap_set_ambient requires CAP_SETPCAP, though it actually doesn’t, and doesn’t suffer from this bug in practice.
Thanks for this bug report. (I'll fix the man pages.) The user vs root isn't an issue. The same reproductions but first changing user: [works] $ sudo capsh --user=$(whoami) --caps=cap_setuid=ip --addamb=cap_setuid --current Current: cap_setuid=ip Current IAB: ^cap_setuid [fails] $ sudo capsh --user=$(whoami) --caps=cap_setuid=p --current --iab=^cap_setuid --current Current: cap_setuid=p Current IAB: unable to set IAB tuple: Operation not permitted Looking at the code, there is another issue there too: [fails] $ sudo capsh --user=$(whoami) --current --iab='^cap_setuid,!cap_setgid' --current --caps=cap_setuid=ip --current --iab='^cap_setuid,!cap_setgid' --current Current: =ep Current IAB: Current: =ep cap_setuid+i Current IAB: !cap_setgid,^cap_setuid Current: cap_setuid=ip Current IAB: !cap_setgid,^cap_setuid unable to set IAB tuple: Operation not permitted That is, the second attempt to block one of the bounding set bits is redundant with the first attempt. It should be able to reach the (unchanged) target IAB value without the CAP_SETPCAP bit enabled for that second attempt. The same issue is also present in the Go "cap" package.
Should be fixed with this commit: https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=bbcfccdcc4d4a8eb4669c5f3b0467b981a1b382e In the git tree: $ make $ sudo progs/capsh --user=$(whoami) --caps=cap_setuid=ip --addamb=cap_setuid --current Current: cap_setuid=ip Current IAB: ^cap_setuid $ sudo progs/capsh --user=$(whoami) --caps=cap_setuid=p --current --iab=^cap_setuid --current Current: cap_setuid=p Current IAB: Current: cap_setuid=ip Current IAB: ^cap_setuid $ sudo progs/capsh --user=$(whoami) --current --iab='^cap_setuid,!cap_setgid' --current --caps=cap_setuid=ip --current --iab='^cap_setuid,!cap_setgid' --current Current: =p Current IAB: Current: =p cap_setuid+i Current IAB: !cap_setgid,^cap_setuid Current: cap_setuid=ip Current IAB: !cap_setgid,^cap_setuid Current: cap_setuid=ip Current IAB: !cap_setgid,^cap_setuid I'll mark this bug fixed when I've also addressed the Go package, "cap".
Plan remains to release this fix in libcap-2.71.
The Go package update to regain parity with libcap: https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=9e4b652f489bce688397447a08b70847c8b64a74 The cap/v1.2.71 package will honor the correct behavior.