diff options
| author | Daniel J Walsh <dwalsh@redhat.com> | 2018-05-30 13:16:10 -0400 |
|---|---|---|
| committer | Atomic Bot <atomic-devel@projectatomic.io> | 2018-05-31 13:46:08 +0000 |
| commit | bae80a0b663925ec751ad2784ca32989403cdc24 (patch) | |
| tree | 6bf214cf2b8694d2dffc96b8a5206916c714488d | |
| parent | e6b088fc6ee16f6c34013484c6d6d49c543435cb (diff) | |
| download | podman-bae80a0b663925ec751ad2784ca32989403cdc24.tar.gz podman-bae80a0b663925ec751ad2784ca32989403cdc24.tar.bz2 podman-bae80a0b663925ec751ad2784ca32989403cdc24.zip | |
Clear all caps, except the bounding set, when --user is specified.
Currently we are giving all caps to users when running with podman run --user,
They should get none by default. If the command line includes --cap-add, then
we need to run with those capabilties. Similarly we need to drop caps from
bounding set, if user specifies --cap-drop
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #851
Approved by: mheon
| -rw-r--r-- | pkg/spec/spec.go | 19 | ||||
| -rw-r--r-- | test/e2e/run_test.go | 9 |
2 files changed, 28 insertions, 0 deletions
diff --git a/pkg/spec/spec.go b/pkg/spec/spec.go index 959a24213..5260b9b19 100644 --- a/pkg/spec/spec.go +++ b/pkg/spec/spec.go @@ -388,8 +388,19 @@ func addRlimits(config *CreateConfig, g *generate.Generator) error { } func setupCapabilities(config *CreateConfig, configSpec *spec.Spec) error { + useNotRoot := func(user string) bool { + if user == "" || user == "root" || user == "0" { + return false + } + return true + } + var err error var caplist []string + bounding := configSpec.Process.Capabilities.Bounding + if useNotRoot(config.User) { + configSpec.Process.Capabilities.Bounding = caplist + } caplist, err = caps.TweakCapabilities(configSpec.Process.Capabilities.Bounding, config.CapAdd, config.CapDrop) if err != nil { return err @@ -399,6 +410,14 @@ func setupCapabilities(config *CreateConfig, configSpec *spec.Spec) error { configSpec.Process.Capabilities.Permitted = caplist configSpec.Process.Capabilities.Inheritable = caplist configSpec.Process.Capabilities.Effective = caplist + configSpec.Process.Capabilities.Ambient = caplist + if useNotRoot(config.User) { + caplist, err = caps.TweakCapabilities(bounding, config.CapAdd, config.CapDrop) + if err != nil { + return err + } + } + configSpec.Process.Capabilities.Bounding = caplist return nil } diff --git a/test/e2e/run_test.go b/test/e2e/run_test.go index cc8492958..5f2bccdac 100644 --- a/test/e2e/run_test.go +++ b/test/e2e/run_test.go @@ -5,6 +5,7 @@ import ( "io/ioutil" "os" "path/filepath" + "strings" "github.com/mrunalp/fileutils" . "github.com/onsi/ginkgo" @@ -369,6 +370,14 @@ var _ = Describe("Podman run", func() { Expect(session.OutputToString()).To(Equal("uid=8(mail) gid=21(ftp)")) }) + It("podman run with user, verify caps dropped", func() { + session := podmanTest.Podman([]string{"run", "--rm", "--user=1234", ALPINE, "grep", "CapEff", "/proc/self/status"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + capEff := strings.Split(session.OutputToString(), " ") + Expect("0000000000000000").To(Equal(capEff[1])) + }) + It("podman run with attach stdin outputs container ID", func() { session := podmanTest.Podman([]string{"run", "--attach", "stdin", ALPINE, "printenv"}) session.WaitWithDefaultTimeout() |