Merge pull request #7399 from rhatdan/v2.0

In podman 1.* regression on --cap-add
author: OpenShift Merge Robot <openshift-merge-robot@users.noreply.github.com> 2020-08-21 19:22:22 +0200
committer: GitHub <noreply@github.com> 2020-08-21 19:22:22 +0200
commit: e06cb25e813d92de60f0243d00c92b08bcac2ab6 (patch)
tree: 11953b3cbebe7f10dce45cf72a6d56e334228f41
parent: 11372c4c4d75d731f346c6be06e41bfe9600ce81 (diff)
parent: 7ed653804cbd9a74156cfa9ec4bbe67887d03884 (diff)
download: podman-e06cb25e813d92de60f0243d00c92b08bcac2ab6.tar.gz
podman-e06cb25e813d92de60f0243d00c92b08bcac2ab6.tar.bz2
podman-e06cb25e813d92de60f0243d00c92b08bcac2ab6.zip
6 files changed, 25 insertions, 22 deletions
diff --git a/go.mod b/go.mod
index cf595b492..6ddd5ad39 100644
--- a/go.mod
+++ b/go.mod
@@ -11,7 +11,7 @@ require (
 	github.com/containernetworking/cni v0.7.2-0.20200304161608-4fae32b84921
 	github.com/containernetworking/plugins v0.8.6
 	github.com/containers/buildah v1.15.1
-	github.com/containers/common v0.14.7
+	github.com/containers/common v0.14.8
 	github.com/containers/conmon v2.0.18+incompatible
 	github.com/containers/image/v5 v5.5.2
 	github.com/containers/psgo v1.5.1
diff --git a/go.sum b/go.sum
index 1f1545677..ce7eb2676 100644
--- a/go.sum
+++ b/go.sum
@@ -70,8 +70,8 @@ github.com/containers/buildah v1.15.1 h1:fVYZedNKir1B7qW43KR3zmkjHH+ZAmPoPQix9zH
 github.com/containers/buildah v1.15.1/go.mod h1:AQPeirYl0bqtXuJaxM9d/xslMm+1qrABc73AEFw0M9U=
 github.com/containers/common v0.14.0 h1:hiZFDPf6ajKiDmojN5f5X3gboKPO73NLrYb0RXfrQiA=
 github.com/containers/common v0.14.0/go.mod h1:9olhlE+WhYof1npnMJdyRMX14/yIUint6zyHzcyRVAg=
-github.com/containers/common v0.14.7 h1:KcyupqUqY9GFnxBck5Ww/tMstbvEmekQys8k8GiYAC0=
-github.com/containers/common v0.14.7/go.mod h1:9olhlE+WhYof1npnMJdyRMX14/yIUint6zyHzcyRVAg=
+github.com/containers/common v0.14.8 h1:u0dwl1GV6tpxtVhFlPuTLx5pN7pXV+/GkP1Y34l0mjI=
+github.com/containers/common v0.14.8/go.mod h1:9olhlE+WhYof1npnMJdyRMX14/yIUint6zyHzcyRVAg=
 github.com/containers/conmon v2.0.18+incompatible h1:rjwjNnE756NuXcdE/uUmj4kDbrykslPuBMHI31wh43E=
 github.com/containers/conmon v2.0.18+incompatible/go.mod h1:hgwZ2mtuDrppv78a/cOBNiCm6O0UMWGx1mu7P00nu5I=
 github.com/containers/image/v5 v5.4.4/go.mod h1:g7cxNXitiLi6pEr9/L9n/0wfazRuhDKXU15kV86N8h8=
diff --git a/pkg/specgen/generate/security.go b/pkg/specgen/generate/security.go
index 840dcb72d..0edde4588 100644
--- a/pkg/specgen/generate/security.go
+++ b/pkg/specgen/generate/security.go
@@ -112,7 +112,7 @@ func securityConfigureGenerator(s *specgen.SpecGenerator, g *generate.Generator,
 			// Pass capRequiredRequested in CapAdd field to normalize capabilities names
 			capsRequired, err := capabilities.MergeCapabilities(nil, capsRequiredRequested, nil)
 			if err != nil {
-				logrus.Errorf("capabilities requested by user or image are not valid: %q", strings.Join(capsRequired, ","))
+				return errors.Wrapf(err, "capabilities requested by user or image are not valid: %q", strings.Join(capsRequired, ","))
 			} else {
 				// Verify all capRequiered are in the capList
 				for _, cap := range capsRequired {
@@ -129,12 +129,6 @@ func securityConfigureGenerator(s *specgen.SpecGenerator, g *generate.Generator,
 		}
 	}
 
-	g.SetProcessNoNewPrivileges(s.NoNewPrivileges)
-
-	if err := setupApparmor(s, rtc, g); err != nil {
-		return err
-	}
-
 	configSpec := g.Config
 	configSpec.Process.Capabilities.Bounding = caplist
 
@@ -142,13 +136,22 @@ func securityConfigureGenerator(s *specgen.SpecGenerator, g *generate.Generator,
 		configSpec.Process.Capabilities.Effective = caplist
 		configSpec.Process.Capabilities.Permitted = caplist
 		configSpec.Process.Capabilities.Inheritable = caplist
-		configSpec.Process.Capabilities.Ambient = caplist
 	} else {
-		configSpec.Process.Capabilities.Effective = []string{}
-		configSpec.Process.Capabilities.Permitted = []string{}
-		configSpec.Process.Capabilities.Inheritable = []string{}
-		configSpec.Process.Capabilities.Ambient = []string{}
+		userCaps, err := capabilities.NormalizeCapabilities(s.CapAdd)
+		if err != nil {
+			return errors.Wrapf(err, "capabilities requested by user are not valid: %q", strings.Join(s.CapAdd, ","))
+		}
+		configSpec.Process.Capabilities.Effective = userCaps
+		configSpec.Process.Capabilities.Permitted = userCaps
+		configSpec.Process.Capabilities.Inheritable = userCaps
 	}
+
+	g.SetProcessNoNewPrivileges(s.NoNewPrivileges)
+
+	if err := setupApparmor(s, rtc, g); err != nil {
+		return err
+	}
+
 	// HANDLE SECCOMP
 	if s.SeccompProfilePath != "unconfined" {
 		seccompConfig, err := getSeccompConfig(s, configSpec, newImage)
diff --git a/vendor/github.com/containers/common/pkg/capabilities/capabilities.go b/vendor/github.com/containers/common/pkg/capabilities/capabilities.go
index 941177489..ddfa53be8 100644
--- a/vendor/github.com/containers/common/pkg/capabilities/capabilities.go
+++ b/vendor/github.com/containers/common/pkg/capabilities/capabilities.go
@@ -57,9 +57,9 @@ func AllCapabilities() []string {
 	return capabilityList
 }
 
-// normalizeCapabilities normalizes caps by adding a "CAP_" prefix (if not yet
+// NormalizeCapabilities normalizes caps by adding a "CAP_" prefix (if not yet
 // present).
-func normalizeCapabilities(caps []string) ([]string, error) {
+func NormalizeCapabilities(caps []string) ([]string, error) {
 	normalized := make([]string, len(caps))
 	for i, c := range caps {
 		c = strings.ToUpper(c)
@@ -98,7 +98,7 @@ func MergeCapabilities(base, adds, drops []string) ([]string, error) {
 	var caps []string
 
 	// Normalize the base capabilities
-	base, err := normalizeCapabilities(base)
+	base, err := NormalizeCapabilities(base)
 	if err != nil {
 		return nil, err
 	}
@@ -106,11 +106,11 @@ func MergeCapabilities(base, adds, drops []string) ([]string, error) {
 		// Nothing to tweak; we're done
 		return base, nil
 	}
-	capDrop, err := normalizeCapabilities(drops)
+	capDrop, err := NormalizeCapabilities(drops)
 	if err != nil {
 		return nil, err
 	}
-	capAdd, err := normalizeCapabilities(adds)
+	capAdd, err := NormalizeCapabilities(adds)
 	if err != nil {
 		return nil, err
 	}
diff --git a/vendor/github.com/containers/common/version/version.go b/vendor/github.com/containers/common/version/version.go
index cce745b59..267e2b49a 100644
--- a/vendor/github.com/containers/common/version/version.go
+++ b/vendor/github.com/containers/common/version/version.go
@@ -1,4 +1,4 @@
 package version
 
 // Version is the version of the build.
-const Version = "0.14.7-dev"
+const Version = "0.14.8"
diff --git a/vendor/modules.txt b/vendor/modules.txt
index 9e3152def..217f04ca5 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -84,7 +84,7 @@ github.com/containers/buildah/pkg/secrets
 github.com/containers/buildah/pkg/supplemented
 github.com/containers/buildah/pkg/umask
 github.com/containers/buildah/util
-# github.com/containers/common v0.14.7
+# github.com/containers/common v0.14.8
 github.com/containers/common/pkg/apparmor
 github.com/containers/common/pkg/auth
 github.com/containers/common/pkg/capabilities
author	OpenShift Merge Robot <openshift-merge-robot@users.noreply.github.com>	2020-08-21 19:22:22 +0200
committer	GitHub <noreply@github.com>	2020-08-21 19:22:22 +0200
commit	e06cb25e813d92de60f0243d00c92b08bcac2ab6 (patch)
tree	11953b3cbebe7f10dce45cf72a6d56e334228f41
parent	11372c4c4d75d731f346c6be06e41bfe9600ce81 (diff)
parent	7ed653804cbd9a74156cfa9ec4bbe67887d03884 (diff)
download	podman-e06cb25e813d92de60f0243d00c92b08bcac2ab6.tar.gz podman-e06cb25e813d92de60f0243d00c92b08bcac2ab6.tar.bz2 podman-e06cb25e813d92de60f0243d00c92b08bcac2ab6.zip