summaryrefslogtreecommitdiff
path: root/pkg/specgen/generate
diff options
context:
space:
mode:
authorGiuseppe Scrivano <gscrivan@redhat.com>2021-03-19 12:10:33 +0100
committerGiuseppe Scrivano <gscrivan@redhat.com>2021-03-19 15:17:11 +0100
commite85cf8f4a2a9fa838087e2b55c93c61f7996b9b7 (patch)
tree4165210e38bee2b0fa12c46a02d8fccdb203d50a /pkg/specgen/generate
parentf46b34ecd265fe86f6b67669fd545584cbe85a39 (diff)
downloadpodman-e85cf8f4a2a9fa838087e2b55c93c61f7996b9b7.tar.gz
podman-e85cf8f4a2a9fa838087e2b55c93c61f7996b9b7.tar.bz2
podman-e85cf8f4a2a9fa838087e2b55c93c61f7996b9b7.zip
security: use the bounding caps with --privileged
when --privileged is used, make sure to not request more capabilities than currently available in the current context. [NO TESTS NEEDED] since it fixes existing tests. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Diffstat (limited to 'pkg/specgen/generate')
-rw-r--r--pkg/specgen/generate/security.go36
1 files changed, 33 insertions, 3 deletions
diff --git a/pkg/specgen/generate/security.go b/pkg/specgen/generate/security.go
index 56aac8bfd..e0e4a47a4 100644
--- a/pkg/specgen/generate/security.go
+++ b/pkg/specgen/generate/security.go
@@ -89,12 +89,28 @@ func securityConfigureGenerator(s *specgen.SpecGenerator, g *generate.Generator,
// NOTE: Must happen before SECCOMP
if s.Privileged {
g.SetupPrivileged(true)
- caplist = capabilities.AllCapabilities()
+ caplist, err = capabilities.BoundingSet()
+ if err != nil {
+ return err
+ }
} else {
- caplist, err = capabilities.MergeCapabilities(rtc.Containers.DefaultCapabilities, s.CapAdd, s.CapDrop)
+ mergedCaps, err := capabilities.MergeCapabilities(rtc.Containers.DefaultCapabilities, s.CapAdd, s.CapDrop)
+ if err != nil {
+ return err
+ }
+ boundingSet, err := capabilities.BoundingSet()
if err != nil {
return err
}
+ boundingCaps := make(map[string]interface{})
+ for _, b := range boundingSet {
+ boundingCaps[b] = b
+ }
+ for _, c := range mergedCaps {
+ if _, ok := boundingCaps[c]; ok {
+ caplist = append(caplist, c)
+ }
+ }
privCapsRequired := []string{}
@@ -139,10 +155,24 @@ func securityConfigureGenerator(s *specgen.SpecGenerator, g *generate.Generator,
configSpec.Process.Capabilities.Permitted = caplist
configSpec.Process.Capabilities.Inheritable = caplist
} else {
- userCaps, err := capabilities.MergeCapabilities(nil, s.CapAdd, nil)
+ mergedCaps, err := capabilities.MergeCapabilities(nil, s.CapAdd, nil)
if err != nil {
return errors.Wrapf(err, "capabilities requested by user are not valid: %q", strings.Join(s.CapAdd, ","))
}
+ boundingSet, err := capabilities.BoundingSet()
+ if err != nil {
+ return err
+ }
+ boundingCaps := make(map[string]interface{})
+ for _, b := range boundingSet {
+ boundingCaps[b] = b
+ }
+ var userCaps []string
+ for _, c := range mergedCaps {
+ if _, ok := boundingCaps[c]; ok {
+ userCaps = append(userCaps, c)
+ }
+ }
configSpec.Process.Capabilities.Effective = userCaps
configSpec.Process.Capabilities.Permitted = userCaps
configSpec.Process.Capabilities.Inheritable = userCaps