Skip to content

Adds client uid validation to XPC server.#896

Merged
jglogan merged 5 commits intoapple:mainfrom
jglogan:users/jglogan/enforce-clientuid
Nov 19, 2025
Merged

Adds client uid validation to XPC server.#896
jglogan merged 5 commits intoapple:mainfrom
jglogan:users/jglogan/enforce-clientuid

Conversation

@jglogan
Copy link
Copy Markdown
Contributor

@jglogan jglogan commented Nov 18, 2025

Type of Change

  • Bug fix
  • New feature
  • Breaking change
  • Documentation update

Motivation and Context

When a user performs an su the effective UID changes but the bootstrap mach port does not, so that if container is running as alice from a GUI login session, it's possible to su bob and continue running container. While this doesn't pose a significant security risk as it's necessary for Alice to know Bob's password and manually enter it with su, this change closes the loophole by validating that client UID from the caller's audit token matches that of the API server.

Testing

  • Tested locally
  • Added/updated tests
  • Added/updated docs
% container ls -a
ID        IMAGE                                               OS     ARCH   STATE    ADDR  CPUS  MEMORY
buildkit  ghcr.io/apple/container-builder-shim/builder:0.7.0  linux  arm64  stopped        2     2048 MB

% su bob
Password:
Restored session: Tue Nov 18 12:29:29 -03 2025

bob:container % container ls -a
Error: internalError: "failed to list containers" (cause: "invalidState: "unauthorized request"")

bob:container % exit

Saving session...
...saving history...truncating history files...
...completed.

% su - bob
Password:

bob:~ % container ls -a
Error: interrupted: "internalError: "failed to list containers" (cause: "interrupted: "XPC connection error: Connection invalid"")
Ensure container system service has been started with `container system start`."

@jglogan jglogan marked this pull request as draft November 18, 2025 15:52
@jglogan jglogan marked this pull request as ready for review November 18, 2025 15:54
@jglogan jglogan mentioned this pull request Nov 18, 2025
Merged
7 tasks
@jglogan jglogan requested a review from dkovba November 18, 2025 18:32
dkovba
dkovba reviewed Nov 18, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

@dkovba dkovba left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we add automated tests for the UID validation?

Comment thread Sources/CAuditToken/include/AuditToken.h Outdated
Comment thread Sources/ContainerXPC/XPCServer.swift Outdated
Comment thread Sources/ContainerXPC/XPCServer.swift Outdated
Comment thread Tests/CLITests/Subcommands/Containers/TestCLICreate.swift
Comment thread Tests/CLITests/Subcommands/Containers/TestCLICreate.swift
Comment thread Sources/ContainerXPC/XPCServer.swift Outdated
@jglogan
Copy link
Copy Markdown
Contributor Author

jglogan commented Nov 18, 2025

Should we add automated tests for the UID validation?

Thoughts on how we do that? Would these only run locally? How would we change id without running as root to set UID programmatically, require user interaction, or modify a sudoers file?

@jglogan jglogan force-pushed the users/jglogan/enforce-clientuid branch from c315372 to f4d56ef Compare November 18, 2025 22:02
dkovba
dkovba reviewed Nov 19, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

@dkovba dkovba left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agree that testing would be more complex than the code itself.

Comment thread Sources/ContainerXPC/XPCServer.swift Outdated
Comment thread Sources/ContainerXPC/XPCServer.swift Outdated
dkovba
dkovba approved these changes Nov 19, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

@dkovba dkovba left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@jglogan jglogan merged commit b2f5f3f into apple:main Nov 19, 2025
2 checks passed
@BrewTestBot BrewTestBot mentioned this pull request Dec 3, 2025
Merged
saehejkang pushed a commit to saehejkang/container that referenced this pull request Jan 27, 2026
@jglogan @saehejkang
Adds client uid validation to XPC server. (apple#896)
93c25ab 
- When a user performs an `su` the effective UID changes but the bootstrap
  mach port does not, so that if container is running as `alice` from a
  GUI login session, it's possible to `su bob` and continue running
  container. While this doesn't pose a significant security risk as it's
  necessary for Alice to know Bob's password and manually enter it with
  `su`, this change closes the loophole by validating that client UID from
  the caller's audit token matches that of the API server.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dkovba dkovba dkovba approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jglogan @dkovba