server: Handle Partial/Full caps separately, similar to C

bilelmoussaoui · bilelmoussaoui · commit e8208b5d9bc7 · 2025-06-01T12:01:27.000+02:00
diff --git a/server/src/capability.rs b/server/src/capability.rs
@@ -8,7 +8,6 @@ pub enum Error {
     DropGroups(nix::Error),
     SetGid(nix::Error),
     SetUid(nix::Error),
-    InsufficientCapabilities,
 }
 
 impl std::fmt::Display for Error {
@@ -19,45 +18,149 @@ impl std::fmt::Display for Error {
             Self::DropGroups(e) => write!(f, "Failed to drop supplementary groups: {}", e),
             Self::SetGid(e) => write!(f, "Failed to setgid: {}", e),
             Self::SetUid(e) => write!(f, "Failed to setuid: {}", e),
-            Self::InsufficientCapabilities => write!(
-                f,
-                "Insufficient process capabilities, insecure memory might get used"
-            ),
         }
     }
 }
 
 impl std::error::Error for Error {}
 
-pub fn drop_unnecessary_capabilities() -> Result<(), Error> {
-    // Load current process capabilities
-    let permitted_caps = caps::read(None, CapSet::Permitted).map_err(Error::CapsRead)?;
+#[derive(Debug, PartialEq)]
+enum CapabilityState {
+    // We are either setuid root or the root user
+    Full,
+    // File system based capabilities
+    Partial,
+    None,
+}
+
+fn handle_full_capabilities() -> Result<(), Error> {
+    // First, prepare the capability sets we want to end up with
+    let mut ipc_lock_caps = CapsHashSet::new();
+    ipc_lock_caps.insert(Capability::CAP_IPC_LOCK);
+
+    // Clear all capabilities first, but DON'T touch bounding set yet
+    let empty_caps = CapsHashSet::new();
+    caps::set(None, CapSet::Effective, &empty_caps).map_err(Error::CapsUpdate)?;
+    caps::set(None, CapSet::Permitted, &empty_caps).map_err(Error::CapsUpdate)?;
+
+    // Set only CAP_IPC_LOCK in permitted and effective (before identity change)
+    caps::set(None, CapSet::Permitted, &ipc_lock_caps).map_err(Error::CapsUpdate)?;
+    caps::set(None, CapSet::Effective, &ipc_lock_caps).map_err(Error::CapsUpdate)?;
+
+    // Drop supplementary groups first
+    setgroups(&[]).map_err(Error::DropGroups)?;
+
+    // Change to real GID
+    setgid(getgid()).map_err(Error::SetGid)?;
+
+    // Change to real UID (this should be done last)
+    setuid(getuid()).map_err(Error::SetUid)?;
+
+    // NOW we can safely clear the bounding set (after identity change)
+    if let Err(err) = caps::set(None, CapSet::Bounding, &ipc_lock_caps) {
+        tracing::debug!(
+            "Could not clear bounding set (may not be supported): {}",
+            err
+        );
+    }
+
+    Ok(())
+}
+
+fn handle_partial_capabilities() -> Result<(), Error> {
+    let effective_caps = caps::read(None, CapSet::Effective).map_err(Error::CapsRead)?;
+
+    // Check if we have CAP_IPC_LOCK in effective set
+    if !effective_caps.contains(&Capability::CAP_IPC_LOCK) {
+        tracing::warn!("Insufficient process capabilities, insecure memory might get used");
+    }
+
+    // Check if we have CAP_SETPCAP for bounding set manipulation
+    let has_setpcap =
+        caps::has_cap(None, CapSet::Effective, Capability::CAP_SETPCAP).map_err(Error::CapsRead)?;
+
+    // Clear all capabilities first
+    let empty_caps = CapsHashSet::new();
+    caps::set(None, CapSet::Effective, &empty_caps).map_err(Error::CapsUpdate)?;
+    caps::set(None, CapSet::Permitted, &empty_caps).map_err(Error::CapsUpdate)?;
+
+    // Only clear bounding set if we have CAP_SETPCAP
+    if has_setpcap {
+        if let Err(err) = caps::set(None, CapSet::Bounding, &empty_caps) {
+            tracing::warn!("Failed to clear bounding set: {}", err);
+        }
+    }
 
-    if permitted_caps.contains(&Capability::CAP_IPC_LOCK) {
-        // Check if CAP_SETPCAP is available (needed to drop bounding set and groups)
-        let has_setpcap = caps::has_cap(None, CapSet::Permitted, Capability::CAP_SETPCAP)
-            .map_err(Error::CapsRead)?;
-
-        let mut drop_caps = CapsHashSet::new();
-        drop_caps.insert(Capability::CAP_IPC_LOCK);
-
-        // Clear other capabilities and apply only CAP_IPC_LOCK
-        caps::set(None, CapSet::Effective, &drop_caps).map_err(Error::CapsUpdate)?;
-        caps::set(None, CapSet::Permitted, &drop_caps).map_err(Error::CapsUpdate)?;
-
-        // Drop supplementary groups and switch to real UID/GID.
-        if has_setpcap {
-            setgroups(&[]).map_err(Error::DropGroups)?;
-            setgid(getgid()).map_err(Error::SetGid)?;
-            setuid(getuid()).map_err(Error::SetUid)?;
-        } else {
-            return Err(Error::InsufficientCapabilities);
+    // Add only CAP_IPC_LOCK to effective and permitted sets
+    let mut ipc_lock_caps = CapsHashSet::new();
+    ipc_lock_caps.insert(Capability::CAP_IPC_LOCK);
+
+    caps::set(None, CapSet::Effective, &ipc_lock_caps).map_err(Error::CapsUpdate)?;
+    caps::set(None, CapSet::Permitted, &ipc_lock_caps).map_err(Error::CapsUpdate)?;
+
+    // Only set bounding set if we have CAP_SETPCAP and cleared it successfully
+    if has_setpcap {
+        if let Err(err) = caps::set(None, CapSet::Bounding, &ipc_lock_caps) {
+            tracing::warn!("Failed to set bounding set: {}", err);
         }
-    } else if permitted_caps.is_empty() {
-        tracing::warn!("No process capabilities, insecure memory might get used");
-        return Ok(());
+    }
+
+    Ok(())
+}
+
+/// Determines the current capability state of the process
+/// This mirrors the logic from libcap-ng's capng_have_capabilities()
+fn determine_capability_state() -> Result<CapabilityState, Error> {
+    let effective_caps = caps::read(None, CapSet::Effective).map_err(Error::CapsRead)?;
+    let permitted_caps = caps::read(None, CapSet::Permitted).map_err(Error::CapsRead)?;
+    let bounding_caps = caps::read(None, CapSet::Bounding).map_err(Error::CapsRead)?;
+
+    // Check if we have no capabilities at all
+    if permitted_caps.is_empty() && effective_caps.is_empty() {
+        return Ok(CapabilityState::None);
+    }
+
+    // To match libcap-ng logic more closely, check if we have "most" capabilities
+    // This is a heuristic - if we have a substantial number of capabilities,
+    // we're likely in FULL state (setuid root or running as root)
+
+    // Count total unique capabilities across all sets
+    let mut all_caps = permitted_caps.clone();
+    all_caps.extend(&effective_caps);
+    all_caps.extend(&bounding_caps);
+
+    // If we have 10+ capabilities total, likely FULL state
+    // This matches libcap-ng's heuristic more closely than checking specific caps
+    if all_caps.len() >= 10 {
+        Ok(CapabilityState::Full)
     } else {
-        return Err(Error::InsufficientCapabilities);
+        // Otherwise, we have partial/filesystem-based capabilities
+        Ok(CapabilityState::Partial)
+    }
+}
+
+pub fn drop_unnecessary_capabilities() -> Result<(), Error> {
+    // First, verify we can read capabilities at all (equivalent to CAPNG_FAIL
+    // check)
+    if let Err(e) = caps::read(None, CapSet::Effective) {
+        // Critical error - cannot proceed safely, should abort like C version
+        tracing::error!("Error getting process capabilities: {:?}, aborting", e);
+        std::process::exit(1);
+    }
+
+    match determine_capability_state()? {
+        CapabilityState::Full => {
+            // We are either setuid root or the root user
+            handle_full_capabilities()?;
+        }
+        CapabilityState::None => {
+            tracing::warn!("No process capabilities, insecure memory might get used");
+            return Ok(());
+        }
+        CapabilityState::Partial => {
+            // File system based capabilities
+            handle_partial_capabilities()?;
+        }
     }
 
     Ok(())
