diff options
| author | OpenShift Merge Robot <openshift-merge-robot@users.noreply.github.com> | 2021-01-07 09:44:37 -0500 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-01-07 09:44:37 -0500 |
| commit | 3cf41c4a7349d2f2529ce94801de2de9898ae27f (patch) | |
| tree | 0982a64d3ffd90561a8f1465be0581edfca489d3 /libpod/oci_conmon_linux.go | |
| parent | 74af9254b98eb21e25c9776b0cf0664d3cb2c46e (diff) | |
| parent | db71759b1aa575633649091b97ea9b856aebc687 (diff) | |
| download | podman-3cf41c4a7349d2f2529ce94801de2de9898ae27f.tar.gz podman-3cf41c4a7349d2f2529ce94801de2de9898ae27f.tar.bz2 podman-3cf41c4a7349d2f2529ce94801de2de9898ae27f.zip | |
Merge pull request #8821 from rhatdan/caps
Containers should not get inheritable caps by default
Diffstat (limited to 'libpod/oci_conmon_linux.go')
| -rw-r--r-- | libpod/oci_conmon_linux.go | 34 |
1 files changed, 27 insertions, 7 deletions
diff --git a/libpod/oci_conmon_linux.go b/libpod/oci_conmon_linux.go index e7cb5a802..6b5da439a 100644 --- a/libpod/oci_conmon_linux.go +++ b/libpod/oci_conmon_linux.go @@ -22,6 +22,7 @@ import ( "text/template" "time" + "github.com/containers/common/pkg/capabilities" "github.com/containers/common/pkg/config" conmonConfig "github.com/containers/conmon/runner/config" "github.com/containers/podman/v2/libpod/define" @@ -1201,13 +1202,7 @@ func prepareProcessExec(c *Container, options *ExecOptions, env []string, sessio } pspec.SelinuxLabel = c.config.ProcessLabel pspec.Args = options.Cmd - for _, cap := range options.CapAdd { - pspec.Capabilities.Bounding = append(pspec.Capabilities.Bounding, cap) - pspec.Capabilities.Effective = append(pspec.Capabilities.Effective, cap) - pspec.Capabilities.Inheritable = append(pspec.Capabilities.Inheritable, cap) - pspec.Capabilities.Permitted = append(pspec.Capabilities.Permitted, cap) - pspec.Capabilities.Ambient = append(pspec.Capabilities.Ambient, cap) - } + // We need to default this to false else it will inherit terminal as true // from the container. pspec.Terminal = false @@ -1263,6 +1258,31 @@ func prepareProcessExec(c *Container, options *ExecOptions, env []string, sessio pspec.User = processUser } + ctrSpec, err := c.specFromState() + if err != nil { + return nil, err + } + + allCaps := capabilities.AllCapabilities() + if options.Privileged { + pspec.Capabilities.Bounding = allCaps + } else { + pspec.Capabilities.Bounding = ctrSpec.Process.Capabilities.Bounding + } + if execUser.Uid == 0 { + pspec.Capabilities.Effective = pspec.Capabilities.Bounding + pspec.Capabilities.Inheritable = pspec.Capabilities.Bounding + pspec.Capabilities.Permitted = pspec.Capabilities.Bounding + pspec.Capabilities.Ambient = pspec.Capabilities.Bounding + } else { + if user == c.config.User { + pspec.Capabilities.Effective = ctrSpec.Process.Capabilities.Effective + pspec.Capabilities.Inheritable = ctrSpec.Process.Capabilities.Effective + pspec.Capabilities.Permitted = ctrSpec.Process.Capabilities.Effective + pspec.Capabilities.Ambient = ctrSpec.Process.Capabilities.Effective + } + } + hasHomeSet := false for _, s := range pspec.Env { if strings.HasPrefix(s, "HOME=") { |