diff options
| author | Daniel J Walsh <dwalsh@redhat.com> | 2020-06-17 10:43:36 -0400 |
|---|---|---|
| committer | Daniel J Walsh <dwalsh@redhat.com> | 2020-06-17 17:20:53 -0400 |
| commit | fe69aa9ba385f5d44b95f549b6b223589131c1f7 (patch) | |
| tree | 36b1e037179388b4666e86f39f10eb8399fdd61f | |
| parent | 7b00e49f657305f233e4e29613821305bf4d2962 (diff) | |
| download | podman-fe69aa9ba385f5d44b95f549b6b223589131c1f7.tar.gz podman-fe69aa9ba385f5d44b95f549b6b223589131c1f7.tar.bz2 podman-fe69aa9ba385f5d44b95f549b6b223589131c1f7.zip | |
Handle dropping capabilties correctly when running as non root user
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
| -rw-r--r-- | pkg/specgen/generate/security.go | 18 | ||||
| -rw-r--r-- | test/e2e/run_test.go | 45 | ||||
| -rw-r--r-- | test/system/030-run.bats | 1 |
3 files changed, 59 insertions, 5 deletions
diff --git a/pkg/specgen/generate/security.go b/pkg/specgen/generate/security.go index d2229b06f..f3821d1f7 100644 --- a/pkg/specgen/generate/security.go +++ b/pkg/specgen/generate/security.go @@ -67,7 +67,7 @@ func securityConfigureGenerator(s *specgen.SpecGenerator, g *generate.Generator, g.SetupPrivileged(true) caplist = capabilities.AllCapabilities() } else { - caplist, err = rtc.Capabilities(s.User, s.CapAdd, s.CapDrop) + caplist, err = capabilities.MergeCapabilities(rtc.Containers.DefaultCapabilities, s.CapAdd, s.CapDrop) if err != nil { return err } @@ -107,10 +107,18 @@ func securityConfigureGenerator(s *specgen.SpecGenerator, g *generate.Generator, } configSpec := g.Config configSpec.Process.Capabilities.Bounding = caplist - configSpec.Process.Capabilities.Permitted = caplist - configSpec.Process.Capabilities.Inheritable = caplist - configSpec.Process.Capabilities.Effective = caplist - configSpec.Process.Capabilities.Ambient = caplist + + if s.User == "" || s.User == "root" || s.User == "0" { + configSpec.Process.Capabilities.Effective = caplist + configSpec.Process.Capabilities.Permitted = caplist + configSpec.Process.Capabilities.Inheritable = caplist + configSpec.Process.Capabilities.Ambient = caplist + } else { + configSpec.Process.Capabilities.Effective = []string{} + configSpec.Process.Capabilities.Permitted = []string{} + configSpec.Process.Capabilities.Inheritable = []string{} + configSpec.Process.Capabilities.Ambient = []string{} + } // HANDLE SECCOMP if s.SeccompProfilePath != "unconfined" { seccompConfig, err := getSeccompConfig(s, configSpec, newImage) diff --git a/test/e2e/run_test.go b/test/e2e/run_test.go index 6dce0b48d..c78c23b1f 100644 --- a/test/e2e/run_test.go +++ b/test/e2e/run_test.go @@ -217,6 +217,51 @@ var _ = Describe("Podman run", func() { Expect(session.ExitCode()).To(Equal(0)) }) + It("podman run user capabilities test", func() { + session := podmanTest.Podman([]string{"run", "--rm", "--user", "bin", ALPINE, "grep", "CapBnd", "/proc/self/status"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + Expect(session.OutputToString()).To(ContainSubstring("00000000a80425fb")) + + session = podmanTest.Podman([]string{"run", "--rm", "--user", "bin", ALPINE, "grep", "CapEff", "/proc/self/status"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + Expect(session.OutputToString()).To(ContainSubstring("0000000000000000")) + + session = podmanTest.Podman([]string{"run", "--rm", "--user", "root", ALPINE, "grep", "CapBnd", "/proc/self/status"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + Expect(session.OutputToString()).To(ContainSubstring("00000000a80425fb")) + + session = podmanTest.Podman([]string{"run", "--rm", "--user", "root", ALPINE, "grep", "CapEff", "/proc/self/status"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + Expect(session.OutputToString()).To(ContainSubstring("00000000a80425fb")) + + session = podmanTest.Podman([]string{"run", "--rm", ALPINE, "grep", "CapBnd", "/proc/self/status"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + Expect(session.OutputToString()).To(ContainSubstring("00000000a80425fb")) + + session = podmanTest.Podman([]string{"run", "--rm", ALPINE, "grep", "CapEff", "/proc/self/status"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + Expect(session.OutputToString()).To(ContainSubstring("00000000a80425fb")) + + dockerfile := `FROM busybox +USER bin` + podmanTest.BuildImage(dockerfile, "test", "false") + session = podmanTest.Podman([]string{"run", "--rm", "--user", "bin", "test", "grep", "CapBnd", "/proc/self/status"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + Expect(session.OutputToString()).To(ContainSubstring("00000000a80425fb")) + + session = podmanTest.Podman([]string{"run", "--rm", "--user", "bin", "test", "grep", "CapEff", "/proc/self/status"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + Expect(session.OutputToString()).To(ContainSubstring("0000000000000000")) + }) + It("podman run limits test", func() { SkipIfRootless() session := podmanTest.Podman([]string{"run", "--rm", "--ulimit", "rtprio=99", "--cap-add=sys_nice", fedoraMinimal, "cat", "/proc/self/sched"}) diff --git a/test/system/030-run.bats b/test/system/030-run.bats index 1bcf3896f..aa9ace332 100644 --- a/test/system/030-run.bats +++ b/test/system/030-run.bats @@ -63,6 +63,7 @@ echo $rand | 0 | $rand @test "podman run - uidmapping has no /sys/kernel mounts" { skip_if_rootless "cannot umount as rootless" + skip_if_remote "TODO Fix this for remote case" run_podman run --rm --uidmap 0:100:10000 $IMAGE mount run grep /sys/kernel <(echo "$output") |