LinuxContainer/LinuxPod: Add support for NoNewPrivileges

Basically just a direct mapping to the prctl/OCI spec field.

Author: dcantah

Sources/Containerization/LinuxProcessConfiguration.swift

@@ -378,6 +378,10 @@ public struct LinuxProcessConfiguration: Sendable {
     /// behavior and are planning to use a terminal for stdin/out/err on the client side,
     /// this should likely be set to true.
     public var terminal: Bool = false
+    /// Whether to set the no_new_privileges bit on the container process. When true, the
+    /// process and its children cannot gain additional privileges via setuid/setgid binaries
+    /// or file capabilities.
+    public var noNewPrivileges: Bool = false
     /// The stdin for the process.
     public var stdin: ReaderStream?
     /// The stdout for the process.
@@ -395,6 +399,7 @@ public struct LinuxProcessConfiguration: Sendable {
         rlimits: [LinuxRLimit] = [],
         capabilities: LinuxCapabilities = .allCapabilities,
         terminal: Bool = false,
+        noNewPrivileges: Bool = false,
         stdin: ReaderStream? = nil,
         stdout: Writer? = nil,
         stderr: Writer? = nil
@@ -406,6 +411,7 @@ public struct LinuxProcessConfiguration: Sendable {
         self.rlimits = rlimits
         self.capabilities = capabilities
         self.terminal = terminal
+        self.noNewPrivileges = noNewPrivileges
         self.stdin = stdin
         self.stdout = stdout
         self.stderr = stderr
@@ -437,6 +443,7 @@ public struct LinuxProcessConfiguration: Sendable {
             args: self.arguments,
             cwd: self.workingDirectory,
             env: self.environmentVariables,
+            noNewPrivileges: self.noNewPrivileges,
             capabilities: self.capabilities.toOCI(),
             user: self.user,
             rlimits: self.rlimits.map { $0.toOCI() },

Sources/Integration/ContainerTests.swift

@@ -4076,4 +4076,114 @@ extension IntegrationSuite {
             throw error
         }
     }
+
+    func testNoNewPrivileges() async throws {
+        let id = "test-no-new-privileges"
+
+        let bs = try await bootstrap(id)
+        let buffer = BufferWriter()
+        let container = try LinuxContainer(id, rootfs: bs.rootfs, vmm: bs.vmm) { config in
+            config.process.arguments = ["cat", "/proc/self/status"]
+            config.process.noNewPrivileges = true
+            config.process.stdout = buffer
+            config.bootLog = bs.bootLog
+        }
+
+        try await container.create()
+        try await container.start()
+
+        let status = try await container.wait()
+        try await container.stop()
+
+        guard status.exitCode == 0 else {
+            throw IntegrationError.assert(msg: "process status \(status) != 0")
+        }
+
+        guard let output = String(data: buffer.data, encoding: .utf8) else {
+            throw IntegrationError.assert(msg: "failed to convert stdout to UTF8")
+        }
+
+        // /proc/self/status contains "NoNewPrivs:\t1" when the bit is set
+        guard output.contains("NoNewPrivs:\t1") else {
+            throw IntegrationError.assert(msg: "expected NoNewPrivs to be 1, got: \(output)")
+        }
+    }
+
+    func testNoNewPrivilegesDisabled() async throws {
+        let id = "test-no-new-privileges-disabled"
+
+        let bs = try await bootstrap(id)
+        let buffer = BufferWriter()
+        let container = try LinuxContainer(id, rootfs: bs.rootfs, vmm: bs.vmm) { config in
+            config.process.arguments = ["cat", "/proc/self/status"]
+            // noNewPrivileges defaults to false
+            config.process.stdout = buffer
+            config.bootLog = bs.bootLog
+        }
+
+        try await container.create()
+        try await container.start()
+
+        let status = try await container.wait()
+        try await container.stop()
+
+        guard status.exitCode == 0 else {
+            throw IntegrationError.assert(msg: "process status \(status) != 0")
+        }
+
+        guard let output = String(data: buffer.data, encoding: .utf8) else {
+            throw IntegrationError.assert(msg: "failed to convert stdout to UTF8")
+        }
+
+        // When noNewPrivileges is not set, NoNewPrivs should be 0
+        guard output.contains("NoNewPrivs:\t0") else {
+            throw IntegrationError.assert(msg: "expected NoNewPrivs to be 0, got: \(output)")
+        }
+    }
+
+    func testNoNewPrivilegesExec() async throws {
+        let id = "test-no-new-privileges-exec"
+
+        let bs = try await bootstrap(id)
+        let container = try LinuxContainer(id, rootfs: bs.rootfs, vmm: bs.vmm) { config in
+            config.process.arguments = ["sleep", "100"]
+            config.bootLog = bs.bootLog
+        }
+
+        do {
+            try await container.create()
+            try await container.start()
+
+            // Exec a process with noNewPrivileges set
+            let buffer = BufferWriter()
+            let exec = try await container.exec("nnp-exec") { config in
+                config.arguments = ["cat", "/proc/self/status"]
+                config.noNewPrivileges = true
+                config.stdout = buffer
+            }
+
+            try await exec.start()
+            let status = try await exec.wait()
+            try await exec.delete()
+
+            guard status.exitCode == 0 else {
+                throw IntegrationError.assert(msg: "exec status \(status) != 0")
+            }
+
+            guard let output = String(data: buffer.data, encoding: .utf8) else {
+                throw IntegrationError.assert(msg: "failed to convert stdout to UTF8")
+            }
+
+            guard output.contains("NoNewPrivs:\t1") else {
+                throw IntegrationError.assert(msg: "expected NoNewPrivs to be 1 in exec, got: \(output)")
+            }
+
+            try await container.kill(SIGKILL)
+            try await container.wait()
+            try await container.stop()
+        } catch {
+            try? await container.stop()
+            throw error
+        }
+    }
 }

Sources/Integration/Suite.swift

@@ -369,6 +369,9 @@ struct IntegrationSuite: AsyncParsableCommand {
                 Test("container useInit zombie reaping", testUseInitZombieReaping),
                 Test("container useInit with terminal", testUseInitWithTerminal),
                 Test("container useInit with stdin", testUseInitWithStdin),
+                Test("container noNewPrivileges", testNoNewPrivileges),
+                Test("container noNewPrivileges disabled", testNoNewPrivilegesDisabled),
+                Test("container noNewPrivileges exec", testNoNewPrivilegesExec),
 
                 // Pods
                 Test("pod single container", testPodSingleContainer),

vminitd/Sources/LCShim/include/syscall.h

@@ -35,4 +35,6 @@ int CZ_pidfd_open(pid_t pid, unsigned int flags);
 
 int CZ_pidfd_getfd(int pidfd, int targetfd, unsigned int flags);
 
+int CZ_prctl_set_no_new_privs();
+
 #endif

vminitd/Sources/LCShim/syscall.c

@@ -35,3 +35,7 @@ int CZ_pidfd_getfd(int pidfd, int targetfd, unsigned int flags) {
   // Musl doesn't have pidfd_getfd.
   return syscall(SYS_pidfd_getfd, pidfd, targetfd, flags);
 }
+
+int CZ_prctl_set_no_new_privs() {
+  return prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
+}

vminitd/Sources/vmexec/ExecCommand.swift

@@ -145,6 +145,9 @@ struct ExecCommand: ParsableCommand {
             // Finish capabilities (after user change)
             try App.finishCapabilities(preparedCaps)
 
+            // Set no_new_privs if requested by the OCI spec.
+            try App.setNoNewPrivileges(process: process)
+
             try App.exec(process: process, currentEnv: process.env)
         } else {  // parent process
             // Send our child's pid to our parent before we exit.

vminitd/Sources/vmexec/RunCommand.swift

@@ -196,6 +196,9 @@ struct RunCommand: ParsableCommand {
         // Finish capabilities (after user change)
         try App.finishCapabilities(preparedCaps)
 
+        // Set no_new_privs if requested by the OCI spec.
+        try App.setNoNewPrivileges(process: process)
+
         // Finally execve the container process.
         try App.exec(process: process, currentEnv: process.env)
     }

vminitd/Sources/vmexec/vmexec.swift

@@ -233,6 +233,13 @@ extension App {
         try? caps.apply(kind: [.ambs])
     }
 
+    static func setNoNewPrivileges(process: ContainerizationOCI.Process) throws {
+        guard process.noNewPrivileges else { return }
+        guard CZ_prctl_set_no_new_privs() == 0 else {
+            throw App.Errno(stage: "prctl(PR_SET_NO_NEW_PRIVS)")
+        }
+    }
+
     static func Errno(stage: String, info: String = "") -> ContainerizationError {
         let posix = POSIXError(.init(rawValue: errno)!, userInfo: ["stage": stage])
         return ContainerizationError(.internalError, message: "\(info) \(String(describing: posix))")