summaryrefslogtreecommitdiff
path: root/pkg/specgen/generate
diff options
context:
space:
mode:
authorDaniel J Walsh <dwalsh@redhat.com>2020-08-17 06:28:45 -0400
committerDaniel J Walsh <dwalsh@redhat.com>2020-08-21 10:56:29 -0400
commit3848cac86052369c35a76f86a1f8e5471dfdf9e2 (patch)
treece349740b66871a766c7a98bc40333b32897baae /pkg/specgen/generate
parent516196f09677819b72d03e068fb8094b28e273aa (diff)
downloadpodman-3848cac86052369c35a76f86a1f8e5471dfdf9e2.tar.gz
podman-3848cac86052369c35a76f86a1f8e5471dfdf9e2.tar.bz2
podman-3848cac86052369c35a76f86a1f8e5471dfdf9e2.zip
In podman 1.* regression on --cap-add
In podman 1.0 if you executed a command like: podman run --user dwalsh --cap-add net_bind_service alpine nc -l 80 It would work, and the user dwalsh would get the capability, in podman 2.0, only root and the binding set gets the capability. This change restores us back to the way podman 1.0 worked. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Diffstat (limited to 'pkg/specgen/generate')
-rw-r--r--pkg/specgen/generate/security.go26
1 files changed, 14 insertions, 12 deletions
diff --git a/pkg/specgen/generate/security.go b/pkg/specgen/generate/security.go
index 5e4cc3399..d3e3d9278 100644
--- a/pkg/specgen/generate/security.go
+++ b/pkg/specgen/generate/security.go
@@ -112,7 +112,7 @@ func securityConfigureGenerator(s *specgen.SpecGenerator, g *generate.Generator,
// Pass capRequiredRequested in CapAdd field to normalize capabilities names
capsRequired, err := capabilities.MergeCapabilities(nil, capsRequiredRequested, nil)
if err != nil {
- logrus.Errorf("capabilities requested by user or image are not valid: %q", strings.Join(capsRequired, ","))
+ return errors.Wrapf(err, "capabilities requested by user or image are not valid: %q", strings.Join(capsRequired, ","))
} else {
// Verify all capRequiered are in the capList
for _, cap := range capsRequired {
@@ -129,12 +129,6 @@ func securityConfigureGenerator(s *specgen.SpecGenerator, g *generate.Generator,
}
}
- g.SetProcessNoNewPrivileges(s.NoNewPrivileges)
-
- if err := setupApparmor(s, rtc, g); err != nil {
- return err
- }
-
configSpec := g.Config
configSpec.Process.Capabilities.Bounding = caplist
@@ -142,13 +136,21 @@ func securityConfigureGenerator(s *specgen.SpecGenerator, g *generate.Generator,
configSpec.Process.Capabilities.Effective = caplist
configSpec.Process.Capabilities.Permitted = caplist
configSpec.Process.Capabilities.Inheritable = caplist
- configSpec.Process.Capabilities.Ambient = caplist
} else {
- configSpec.Process.Capabilities.Effective = []string{}
- configSpec.Process.Capabilities.Permitted = []string{}
- configSpec.Process.Capabilities.Inheritable = []string{}
- configSpec.Process.Capabilities.Ambient = []string{}
+ userCaps, err := capabilities.NormalizeCapabilities(s.CapAdd)
+ if err != nil {
+ return errors.Wrapf(err, "capabilities requested by user are not valid: %q", strings.Join(s.CapAdd, ","))
+ }
+ configSpec.Process.Capabilities.Effective = userCaps
+ configSpec.Process.Capabilities.Permitted = userCaps
}
+
+ g.SetProcessNoNewPrivileges(s.NoNewPrivileges)
+
+ if err := setupApparmor(s, rtc, g); err != nil {
+ return err
+ }
+
// HANDLE SECCOMP
if s.SeccompProfilePath != "unconfined" {
seccompConfig, err := getSeccompConfig(s, configSpec, newImage)