diff options
author | Giuseppe Scrivano <gscrivan@redhat.com> | 2021-03-19 12:10:33 +0100 |
---|---|---|
committer | Giuseppe Scrivano <gscrivan@redhat.com> | 2021-03-19 15:17:11 +0100 |
commit | e85cf8f4a2a9fa838087e2b55c93c61f7996b9b7 (patch) | |
tree | 4165210e38bee2b0fa12c46a02d8fccdb203d50a | |
parent | f46b34ecd265fe86f6b67669fd545584cbe85a39 (diff) | |
download | podman-e85cf8f4a2a9fa838087e2b55c93c61f7996b9b7.tar.gz podman-e85cf8f4a2a9fa838087e2b55c93c61f7996b9b7.tar.bz2 podman-e85cf8f4a2a9fa838087e2b55c93c61f7996b9b7.zip |
security: use the bounding caps with --privileged
when --privileged is used, make sure to not request more capabilities
than currently available in the current context.
[NO TESTS NEEDED] since it fixes existing tests.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
-rw-r--r-- | libpod/oci_conmon_linux.go | 5 | ||||
-rw-r--r-- | pkg/specgen/generate/security.go | 36 |
2 files changed, 37 insertions, 4 deletions
diff --git a/libpod/oci_conmon_linux.go b/libpod/oci_conmon_linux.go index ef5f6fb0c..1c7089e5d 100644 --- a/libpod/oci_conmon_linux.go +++ b/libpod/oci_conmon_linux.go @@ -1268,7 +1268,10 @@ func prepareProcessExec(c *Container, options *ExecOptions, env []string, sessio return nil, err } - allCaps := capabilities.AllCapabilities() + allCaps, err := capabilities.BoundingSet() + if err != nil { + return nil, err + } if options.Privileged { pspec.Capabilities.Bounding = allCaps } else { diff --git a/pkg/specgen/generate/security.go b/pkg/specgen/generate/security.go index 56aac8bfd..e0e4a47a4 100644 --- a/pkg/specgen/generate/security.go +++ b/pkg/specgen/generate/security.go @@ -89,12 +89,28 @@ func securityConfigureGenerator(s *specgen.SpecGenerator, g *generate.Generator, // NOTE: Must happen before SECCOMP if s.Privileged { g.SetupPrivileged(true) - caplist = capabilities.AllCapabilities() + caplist, err = capabilities.BoundingSet() + if err != nil { + return err + } } else { - caplist, err = capabilities.MergeCapabilities(rtc.Containers.DefaultCapabilities, s.CapAdd, s.CapDrop) + mergedCaps, err := capabilities.MergeCapabilities(rtc.Containers.DefaultCapabilities, s.CapAdd, s.CapDrop) + if err != nil { + return err + } + boundingSet, err := capabilities.BoundingSet() if err != nil { return err } + boundingCaps := make(map[string]interface{}) + for _, b := range boundingSet { + boundingCaps[b] = b + } + for _, c := range mergedCaps { + if _, ok := boundingCaps[c]; ok { + caplist = append(caplist, c) + } + } privCapsRequired := []string{} @@ -139,10 +155,24 @@ func securityConfigureGenerator(s *specgen.SpecGenerator, g *generate.Generator, configSpec.Process.Capabilities.Permitted = caplist configSpec.Process.Capabilities.Inheritable = caplist } else { - userCaps, err := capabilities.MergeCapabilities(nil, s.CapAdd, nil) + mergedCaps, err := capabilities.MergeCapabilities(nil, s.CapAdd, nil) if err != nil { return errors.Wrapf(err, "capabilities requested by user are not valid: %q", strings.Join(s.CapAdd, ",")) } + boundingSet, err := capabilities.BoundingSet() + if err != nil { + return err + } + boundingCaps := make(map[string]interface{}) + for _, b := range boundingSet { + boundingCaps[b] = b + } + var userCaps []string + for _, c := range mergedCaps { + if _, ok := boundingCaps[c]; ok { + userCaps = append(userCaps, c) + } + } configSpec.Process.Capabilities.Effective = userCaps configSpec.Process.Capabilities.Permitted = userCaps configSpec.Process.Capabilities.Inheritable = userCaps |