summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGiuseppe Scrivano <gscrivan@redhat.com>2021-03-19 12:10:33 +0100
committerGiuseppe Scrivano <gscrivan@redhat.com>2021-03-19 15:17:11 +0100
commite85cf8f4a2a9fa838087e2b55c93c61f7996b9b7 (patch)
tree4165210e38bee2b0fa12c46a02d8fccdb203d50a
parentf46b34ecd265fe86f6b67669fd545584cbe85a39 (diff)
downloadpodman-e85cf8f4a2a9fa838087e2b55c93c61f7996b9b7.tar.gz
podman-e85cf8f4a2a9fa838087e2b55c93c61f7996b9b7.tar.bz2
podman-e85cf8f4a2a9fa838087e2b55c93c61f7996b9b7.zip
security: use the bounding caps with --privileged
when --privileged is used, make sure to not request more capabilities than currently available in the current context. [NO TESTS NEEDED] since it fixes existing tests. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
-rw-r--r--libpod/oci_conmon_linux.go5
-rw-r--r--pkg/specgen/generate/security.go36
2 files changed, 37 insertions, 4 deletions
diff --git a/libpod/oci_conmon_linux.go b/libpod/oci_conmon_linux.go
index ef5f6fb0c..1c7089e5d 100644
--- a/libpod/oci_conmon_linux.go
+++ b/libpod/oci_conmon_linux.go
@@ -1268,7 +1268,10 @@ func prepareProcessExec(c *Container, options *ExecOptions, env []string, sessio
return nil, err
}
- allCaps := capabilities.AllCapabilities()
+ allCaps, err := capabilities.BoundingSet()
+ if err != nil {
+ return nil, err
+ }
if options.Privileged {
pspec.Capabilities.Bounding = allCaps
} else {
diff --git a/pkg/specgen/generate/security.go b/pkg/specgen/generate/security.go
index 56aac8bfd..e0e4a47a4 100644
--- a/pkg/specgen/generate/security.go
+++ b/pkg/specgen/generate/security.go
@@ -89,12 +89,28 @@ func securityConfigureGenerator(s *specgen.SpecGenerator, g *generate.Generator,
// NOTE: Must happen before SECCOMP
if s.Privileged {
g.SetupPrivileged(true)
- caplist = capabilities.AllCapabilities()
+ caplist, err = capabilities.BoundingSet()
+ if err != nil {
+ return err
+ }
} else {
- caplist, err = capabilities.MergeCapabilities(rtc.Containers.DefaultCapabilities, s.CapAdd, s.CapDrop)
+ mergedCaps, err := capabilities.MergeCapabilities(rtc.Containers.DefaultCapabilities, s.CapAdd, s.CapDrop)
+ if err != nil {
+ return err
+ }
+ boundingSet, err := capabilities.BoundingSet()
if err != nil {
return err
}
+ boundingCaps := make(map[string]interface{})
+ for _, b := range boundingSet {
+ boundingCaps[b] = b
+ }
+ for _, c := range mergedCaps {
+ if _, ok := boundingCaps[c]; ok {
+ caplist = append(caplist, c)
+ }
+ }
privCapsRequired := []string{}
@@ -139,10 +155,24 @@ func securityConfigureGenerator(s *specgen.SpecGenerator, g *generate.Generator,
configSpec.Process.Capabilities.Permitted = caplist
configSpec.Process.Capabilities.Inheritable = caplist
} else {
- userCaps, err := capabilities.MergeCapabilities(nil, s.CapAdd, nil)
+ mergedCaps, err := capabilities.MergeCapabilities(nil, s.CapAdd, nil)
if err != nil {
return errors.Wrapf(err, "capabilities requested by user are not valid: %q", strings.Join(s.CapAdd, ","))
}
+ boundingSet, err := capabilities.BoundingSet()
+ if err != nil {
+ return err
+ }
+ boundingCaps := make(map[string]interface{})
+ for _, b := range boundingSet {
+ boundingCaps[b] = b
+ }
+ var userCaps []string
+ for _, c := range mergedCaps {
+ if _, ok := boundingCaps[c]; ok {
+ userCaps = append(userCaps, c)
+ }
+ }
configSpec.Process.Capabilities.Effective = userCaps
configSpec.Process.Capabilities.Permitted = userCaps
configSpec.Process.Capabilities.Inheritable = userCaps