lock_pool drops capabilities even when running as root

Mike Crowe mac at mcrowe.com
Wed Dec 3 18:57:57 CET 2014


We're using libgcrypt in an embedded application that runs as root
(i.e. UID=EUID=0.) We recently discovered that libgcrypt operations that
allocate secure memory caused all the process's capabilities to be dropped
causing surprises later when the rest of the application tries to perform
privileged operations.

We upgraded libgcrypt so we could use
gcry_control(GCRYCTL_DISABLE_PRIV_DROP) but this did not help (for reasons
that were obvious once I looked more closely.)

The culprit would appear to be the code at the start of secmem.c:lock_pool
that calls cap_set_proc. Before calling my capabilities are:

 CapInh: 0000000000000000
 CapPrm: 0000001fffffffff
 CapEff: 0000001fffffffff
 CapBnd: 0000001fffffffff

afterwards they are:

 CapInh: 0000000000000000
 CapPrm: 0000000000004000
 CapEff: 0000000000000000
 CapBnd: 0000001fffffffff

Borrowing the "uid && !geteuid()" check from lower down fixes the problem
for me but I suspect that isn't sufficient for all use cases.

--- secmem.c~	2014-08-21 13:50:39.000000000 +0100
+++ secmem.c	2014-12-03 17:55:08.446683419 +0000
@@ -243,6 +243,7 @@ lock_pool (void *p, size_t n)
 #if defined(USE_CAPABILITIES) && defined(HAVE_MLOCK)
   int err;
 
+  if (uid && ! geteuid ())
   {
     cap_t cap;
 

Thanks.

Mike.



More information about the Gcrypt-devel mailing list