summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDaniel J Walsh <dwalsh@redhat.com>2018-05-30 13:16:10 -0400
committerAtomic Bot <atomic-devel@projectatomic.io>2018-05-31 13:46:08 +0000
commitbae80a0b663925ec751ad2784ca32989403cdc24 (patch)
tree6bf214cf2b8694d2dffc96b8a5206916c714488d
parente6b088fc6ee16f6c34013484c6d6d49c543435cb (diff)
downloadpodman-bae80a0b663925ec751ad2784ca32989403cdc24.tar.gz
podman-bae80a0b663925ec751ad2784ca32989403cdc24.tar.bz2
podman-bae80a0b663925ec751ad2784ca32989403cdc24.zip
Clear all caps, except the bounding set, when --user is specified.
Currently we are giving all caps to users when running with podman run --user, They should get none by default. If the command line includes --cap-add, then we need to run with those capabilties. Similarly we need to drop caps from bounding set, if user specifies --cap-drop Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #851 Approved by: mheon
-rw-r--r--pkg/spec/spec.go19
-rw-r--r--test/e2e/run_test.go9
2 files changed, 28 insertions, 0 deletions
diff --git a/pkg/spec/spec.go b/pkg/spec/spec.go
index 959a24213..5260b9b19 100644
--- a/pkg/spec/spec.go
+++ b/pkg/spec/spec.go
@@ -388,8 +388,19 @@ func addRlimits(config *CreateConfig, g *generate.Generator) error {
}
func setupCapabilities(config *CreateConfig, configSpec *spec.Spec) error {
+ useNotRoot := func(user string) bool {
+ if user == "" || user == "root" || user == "0" {
+ return false
+ }
+ return true
+ }
+
var err error
var caplist []string
+ bounding := configSpec.Process.Capabilities.Bounding
+ if useNotRoot(config.User) {
+ configSpec.Process.Capabilities.Bounding = caplist
+ }
caplist, err = caps.TweakCapabilities(configSpec.Process.Capabilities.Bounding, config.CapAdd, config.CapDrop)
if err != nil {
return err
@@ -399,6 +410,14 @@ func setupCapabilities(config *CreateConfig, configSpec *spec.Spec) error {
configSpec.Process.Capabilities.Permitted = caplist
configSpec.Process.Capabilities.Inheritable = caplist
configSpec.Process.Capabilities.Effective = caplist
+ configSpec.Process.Capabilities.Ambient = caplist
+ if useNotRoot(config.User) {
+ caplist, err = caps.TweakCapabilities(bounding, config.CapAdd, config.CapDrop)
+ if err != nil {
+ return err
+ }
+ }
+ configSpec.Process.Capabilities.Bounding = caplist
return nil
}
diff --git a/test/e2e/run_test.go b/test/e2e/run_test.go
index cc8492958..5f2bccdac 100644
--- a/test/e2e/run_test.go
+++ b/test/e2e/run_test.go
@@ -5,6 +5,7 @@ import (
"io/ioutil"
"os"
"path/filepath"
+ "strings"
"github.com/mrunalp/fileutils"
. "github.com/onsi/ginkgo"
@@ -369,6 +370,14 @@ var _ = Describe("Podman run", func() {
Expect(session.OutputToString()).To(Equal("uid=8(mail) gid=21(ftp)"))
})
+ It("podman run with user, verify caps dropped", func() {
+ session := podmanTest.Podman([]string{"run", "--rm", "--user=1234", ALPINE, "grep", "CapEff", "/proc/self/status"})
+ session.WaitWithDefaultTimeout()
+ Expect(session.ExitCode()).To(Equal(0))
+ capEff := strings.Split(session.OutputToString(), " ")
+ Expect("0000000000000000").To(Equal(capEff[1]))
+ })
+
It("podman run with attach stdin outputs container ID", func() {
session := podmanTest.Podman([]string{"run", "--attach", "stdin", ALPINE, "printenv"})
session.WaitWithDefaultTimeout()