Add missing Linux capability checks for SO_BINDTODEVICE, mknod, sched_setaffinity, and setpriority

pkg/sentry/fsimpl/proc/tasks_sys.go

@@ -76,7 +76,7 @@ func (fs *filesystem) newSysDir(ctx context.Context, root *auth.Credentials, k *
 			"version":   fs.newInode(ctx, root, 0444, newStaticFile(version.LinuxVersion)),
 		}),
 		"fs": fs.newStaticDir(ctx, root, map[string]kernfs.Inode{
-			"nr_open": fs.newInode(ctx, root, 0644, &atomicInt32File{val: &k.MaxFDLimit, min: 8, max: kernel.MaxFdLimit}),
+			"nr_open": fs.newInode(ctx, root, 0644, &atomicInt32File{val: &k.MaxFDLimit, min: 8, max: kernel.MaxFdLimit, requiredCap: linux.CAP_SYS_ADMIN}),
 		}),
 		"vm": fs.newStaticDir(ctx, root, map[string]kernfs.Inode{
 			"max_map_count":     fs.newInode(ctx, root, 0444, newStaticFile("2147483647\n")),
@@ -236,6 +236,12 @@ func (d *tcpSackData) Write(ctx context.Context, _ *vfs.FileDescription, src use
 		// No need to handle partial writes thus far.
 		return 0, linuxerr.EINVAL
 	}
+	// Linux requires CAP_NET_ADMIN for writes to /proc/sys/net sysctls.
+	// See net/sysctl_net.c:net_ctl_permissions().
+	creds := auth.CredentialsFromContext(ctx)
+	if !creds.HasRootCapability(linux.CAP_NET_ADMIN) {
+		return 0, linuxerr.EPERM
+	}
 	buf := make([]int32, 1)
 	n, err := ParseInt32Vec(ctx, src, buf)
 	if err != nil || n == 0 {
@@ -277,6 +283,10 @@ func (d *tcpRecoveryData) Write(ctx context.Context, _ *vfs.FileDescription, src
 		// No need to handle partial writes thus far.
 		return 0, linuxerr.EINVAL
 	}
+	creds := auth.CredentialsFromContext(ctx)
+	if !creds.HasRootCapability(linux.CAP_NET_ADMIN) {
+		return 0, linuxerr.EPERM
+	}
 	buf := make([]int32, 1)
 	n, err := ParseInt32Vec(ctx, src, buf)
 	if err != nil || n == 0 {
@@ -324,6 +334,10 @@ func (d *tcpMemData) Write(ctx context.Context, _ *vfs.FileDescription, src user
 		// No need to handle partial writes thus far.
 		return 0, linuxerr.EINVAL
 	}
+	creds := auth.CredentialsFromContext(ctx)
+	if !creds.HasRootCapability(linux.CAP_NET_ADMIN) {
+		return 0, linuxerr.EPERM
+	}
 	d.mu.Lock()
 	defer d.mu.Unlock()
 	size, err := d.readSizeLocked()
@@ -449,6 +463,10 @@ func (pr *portRange) Write(ctx context.Context, _ *vfs.FileDescription, src user
 		// No need to handle partial writes thus far.
 		return 0, linuxerr.EINVAL
 	}
+	creds := auth.CredentialsFromContext(ctx)
+	if !creds.HasRootCapability(linux.CAP_NET_ADMIN) {
+		return 0, linuxerr.EPERM
+	}
 
 	ports := make([]int32, 2)
 	n, err := ParseInt32Vec(ctx, src, ports)
@@ -480,8 +498,9 @@ func (pr *portRange) Write(ctx context.Context, _ *vfs.FileDescription, src user
 type atomicInt32File struct {
 	kernfs.DynamicBytesFile
 
-	val      *atomicbitops.Int32
-	min, max int32
+	val         *atomicbitops.Int32
+	min, max    int32
+	requiredCap linux.Capability
 }
 
 var _ vfs.WritableDynamicBytesSource = (*atomicInt32File)(nil)
@@ -498,6 +517,12 @@ func (f *atomicInt32File) Write(ctx context.Context, _ *vfs.FileDescription, src
 		// Ignore partial writes.
 		return 0, linuxerr.EINVAL
 	}
+	if f.requiredCap != 0 {
+		creds := auth.CredentialsFromContext(ctx)
+		if !creds.HasRootCapability(f.requiredCap) {
+			return 0, linuxerr.EPERM
+		}
+	}
 	buf := make([]int32, 1)
 	n, err := ParseInt32Vec(ctx, src, buf)
 	if err != nil || n == 0 {

pkg/sentry/socket/netstack/netstack.go

@@ -2059,6 +2059,11 @@ func SetSockOptSocket(t *kernel.Task, s socket.Socket, ep commonEndpoint, name i
 		return nil
 
 	case linux.SO_BINDTODEVICE:
+		// Linux requires CAP_NET_RAW to use SO_BINDTODEVICE.
+		// See net/core/sock.c:sock_setsockopt().
+		if !s.HasCapability(linux.CAP_NET_RAW, t) {
+			return syserr.ErrNotPermitted
+		}
 		n := bytes.IndexByte(optVal, 0)
 		if n == -1 {
 			n = len(optVal)

pkg/sentry/syscalls/linux/sys_file.go

@@ -64,6 +64,12 @@ func mknodat(t *kernel.Task, dirfd int32, addr hostarch.Addr, mode linux.FileMod
 	if mode.FileType() == 0 {
 		mode |= linux.ModeRegular
 	}
+	// Linux requires CAP_MKNOD to create block or character device nodes.
+	// See fs/namei.c:vfs_mknod().
+	if (mode.FileType() == linux.ModeCharacterDevice || mode.FileType() == linux.ModeBlockDevice) &&
+		!t.HasCapabilityIn(linux.CAP_MKNOD, t.Credentials().UserNamespace) {
+		return linuxerr.EPERM
+	}
 	major, minor := linux.DecodeDeviceID(dev)
 	return t.Kernel().VFS().MknodAt(t, t.Credentials(), &tpop.pop, &vfs.MknodOptions{
 		Mode:     mode &^ linux.FileMode(t.FSContext().Umask()),

pkg/sentry/syscalls/linux/sys_thread.go

@@ -479,6 +479,16 @@ func SchedSetaffinity(t *kernel.Task, sysno uintptr, args arch.SyscallArguments)
 		if task == nil {
 			return 0, nil, linuxerr.ESRCH
 		}
+		// Linux requires the caller's EUID to match the target's
+		// real or effective UID, or CAP_SYS_NICE. See
+		// kernel/sched/core.c:check_same_owner().
+		creds := t.Credentials()
+		tcreds := task.Credentials()
+		if creds.EffectiveKUID != tcreds.EffectiveKUID &&
+			creds.EffectiveKUID != tcreds.RealKUID &&
+			!creds.HasCapabilityIn(linux.CAP_SYS_NICE, tcreds.UserNamespace) {
+			return 0, nil, linuxerr.EPERM
+		}
 	}
 
 	mask := sched.NewCPUSet(t.Kernel().ApplicationCores())
@@ -729,6 +739,18 @@ func Setpriority(t *kernel.Task, sysno uintptr, args arch.SyscallArguments) (uin
 			return 0, nil, linuxerr.ESRCH
 		}
 
+		// Linux requires UID match or CAP_SYS_NICE to set
+		// another process's priority. See kernel/sys.c:set_one_prio().
+		if task != t {
+			creds := t.Credentials()
+			tcreds := task.Credentials()
+			if creds.EffectiveKUID != tcreds.RealKUID &&
+				creds.EffectiveKUID != tcreds.EffectiveKUID &&
+				!creds.HasCapabilityIn(linux.CAP_SYS_NICE, tcreds.UserNamespace) {
+				return 0, nil, linuxerr.EPERM
+			}
+		}
+
 		task.SetNiceness(niceval)
 	case linux.PRIO_USER:
 		fallthrough