lock_pool drops capabilities even when running as root
Mike Crowe
mac at mcrowe.com
Wed Dec 3 18:57:57 CET 2014
We're using libgcrypt in an embedded application that runs as root
(i.e. UID=EUID=0.) We recently discovered that libgcrypt operations that
allocate secure memory caused all the process's capabilities to be dropped
causing surprises later when the rest of the application tries to perform
privileged operations.
We upgraded libgcrypt so we could use
gcry_control(GCRYCTL_DISABLE_PRIV_DROP) but this did not help (for reasons
that were obvious once I looked more closely.)
The culprit would appear to be the code at the start of secmem.c:lock_pool
that calls cap_set_proc. Before calling my capabilities are:
CapInh: 0000000000000000
CapPrm: 0000001fffffffff
CapEff: 0000001fffffffff
CapBnd: 0000001fffffffff
afterwards they are:
CapInh: 0000000000000000
CapPrm: 0000000000004000
CapEff: 0000000000000000
CapBnd: 0000001fffffffff
Borrowing the "uid && !geteuid()" check from lower down fixes the problem
for me but I suspect that isn't sufficient for all use cases.
--- secmem.c~ 2014-08-21 13:50:39.000000000 +0100
+++ secmem.c 2014-12-03 17:55:08.446683419 +0000
@@ -243,6 +243,7 @@ lock_pool (void *p, size_t n)
#if defined(USE_CAPABILITIES) && defined(HAVE_MLOCK)
int err;
+ if (uid && ! geteuid ())
{
cap_t cap;
Thanks.
Mike.
More information about the Gcrypt-devel
mailing list