deescalate API

Functions

lockdown_account(uid=None, gid=None, caps_to_keep=None)

Deescalate the privileges of the running process.

lockdown_account will:

• set the secure bits noroot, keep_caps, no_setuid_fixup and their locked companions
• perform a setgid and a setuid
• restrict the 3 cap sets and the bounding set to the list given in caps_to_keep
• set no_new_privs

Parameters:

• uid (int or string, optional) -- switch to this UID
• gid (int or string, optional) -- switch to this GID
• caps_to_keep (list of bytes, optional) -- a list of capabilities to keep

Raises:

• RuntimeError -- if some capability operation fails
• OSError -- operation not permitted

Note

When not on Linux, only setgid and setuid will be performed

Examples

>>> lockdown_account('www-data', 'www-data', 'net_bind_service')
>>> lockdown_account('scapy', 'scapy', ['net_admin', 'net_raw'])

get_securebits()

Return the currently defined secure bits

Returns:2uple (the securebits as an int, a dict of securebits)

set_noroot(locked=True)

Set the SECBIT_NOROOT securebit.

Parameters:locked (bool) -- if True, also set SECBIT_NOROOT_LOCKED Raises:RuntimeError -- if operation fails

set_keep_caps(locked=True)

Set the SECBIT_KEEP_CAPS securebit.

Parameters:locked (bool) -- if True, also set SECBIT_KEEP_CAPS_LOCKED Raises:RuntimeError -- if operation fails

set_no_setuid_fixup(locked=True)

Set the SECBIT_NO_SETUID_FIXUP securebit.

Parameters:locked (bool) -- if True, also set SECBIT_NO_SETUID_FIXUP_LOCKED Raises:RuntimeError -- if operation fails

set_no_new_privs()

Set no_new_privs.

Notes

• With no_new_privs set, execve promises not to grant the privilege to do anything that could not have been done without the execve call.
• See prctl manual page

Capability sets

class CapabilitySet(capset)

Bases: deescalate._deescalate.C_CapabilitySet

Represent a set of capabilities.

Notes

• Usually a CapabilitySet is used directly from one of its instance object (effective, permitted, inheritable).

• A CapabilitySet is iterable, so to get the capabilities it countains:

  set(effective)
  

• To check if a capability is in the set:

  b'net_admin' in effective
  

• Arithmetic operators can be used to add/remove capabilities:

  effective -= b'net_admin'
  permitted += b'net_raw'
  inheritable += b'setuid, setgid'
  inheritable -= [b'sys_chroot', b'sys_ptrace']
  

References

• Capabilities manual page

classmethod get_instance(capset)

CapabilitySet factory (class method).

Parameters:capset (int or string) -- which capability set to deal with ("effective", "permitted" or "inheritable")

remove_all_except(caps_to_keep)

Remove every capability from the set, except the ones given in caps_to_keep.

Parameters:caps_to_keep (bytes or list of bytes) -- Do not drop these capabilities

class BoundingSet

Bases: deescalate._deescalate.C_BoundingSet

Represents the bounding capability set.

Notes

• BoundindSet is iterable:

  list_of_caps = list(bounding_set)
  

• To check if a capability is in the bounding set:

  b'net_admin' in bounding_set
  

• The BoundingSet just supports removing some capabilities it countains. Use:

  bounding_set -= b'net_admin,mac_override'
  bounding_set -= [b'syslog', b'wake_alarm']
  

classmethod get_instance()

BoundingSet factory (class method).

permitted = <deescalate.main.CapabilitySet object>

Permitted capability set

effective = <deescalate.main.CapabilitySet object>

Effective capability set

inheritable = <deescalate.main.CapabilitySet object>

Inheritable capability set

bounding_set = <deescalate.main.BoundingSet object>

Capability bounding set

Constants

class C

Bases: object

Gather the various constants used by deescalate.

HARD_CODED_CAPS = ['chown', 'dac_override', 'dac_read_search', 'fowner', 'fsetid', 'kill', 'setgid', 'setuid', 'setpcap', 'linux_immutable', 'net_bind_service', 'net_broadcast', 'net_admin', 'net_raw', 'ipc_lock', 'ipc_owner', 'sys_module', 'sys_rawio', 'sys_chroot', 'sys_ptrace', 'sys_pacct', 'sys_admin', 'sys_boot', 'sys_nice', 'sys_resource', 'sys_time', 'sys_tty_config', 'mknod', 'lease', 'audit_write', 'audit_control', 'setfcap', 'mac_override', 'mac_admin', 'syslog', 'wake_alarm', 'block_suspend']

List of usual capabilities on Linux

NB_HARD_CODED = 37

number of caps in HARD_CODED_CAPS

SECBIT_KEEP_CAPS = 16

SECBIT_KEEP_CAPS securebit

SECBIT_KEEP_CAPS_LOCKED = 32

SECBIT_KEEP_CAPS_LOCKED securebit

SECBIT_NOROOT = 1

NOROOT securebit

SECBIT_NOROOT_LOCKED = 2

NOROOT_LOCKED securebit

SECBIT_NO_SETUID_FIXUP = 4

NO_SETUID_FIXUP securebit

SECBIT_NO_SETUID_FIXUP_LOCKED = 8

NO_SETUID_FIXUP_LOCKED securebit

SUPPORTED_CAPS = {}

capabilities supported by the running platform

UNSUPPORTED_CAPS = ['chown', 'dac_override', 'dac_read_search', 'fowner', 'fsetid', 'kill', 'setgid', 'setuid', 'setpcap', 'linux_immutable', 'net_bind_service', 'net_broadcast', 'net_admin', 'net_raw', 'ipc_lock', 'ipc_owner', 'sys_module', 'sys_rawio', 'sys_chroot', 'sys_ptrace', 'sys_pacct', 'sys_admin', 'sys_boot', 'sys_nice', 'sys_resource', 'sys_time', 'sys_tty_config', 'mknod', 'lease', 'audit_write', 'audit_control', 'setfcap', 'mac_override', 'mac_admin', 'syslog', 'wake_alarm', 'block_suspend']

capabilities not supported by the running platform