summaryrefslogtreecommitdiff
path: root/pkg/specgen
diff options
context:
space:
mode:
authorDaniel J Walsh <dwalsh@redhat.com>2020-06-17 10:43:36 -0400
committerDaniel J Walsh <dwalsh@redhat.com>2020-06-17 17:20:53 -0400
commitfe69aa9ba385f5d44b95f549b6b223589131c1f7 (patch)
tree36b1e037179388b4666e86f39f10eb8399fdd61f /pkg/specgen
parent7b00e49f657305f233e4e29613821305bf4d2962 (diff)
downloadpodman-fe69aa9ba385f5d44b95f549b6b223589131c1f7.tar.gz
podman-fe69aa9ba385f5d44b95f549b6b223589131c1f7.tar.bz2
podman-fe69aa9ba385f5d44b95f549b6b223589131c1f7.zip
Handle dropping capabilties correctly when running as non root user
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Diffstat (limited to 'pkg/specgen')
-rw-r--r--pkg/specgen/generate/security.go18
1 files changed, 13 insertions, 5 deletions
diff --git a/pkg/specgen/generate/security.go b/pkg/specgen/generate/security.go
index d2229b06f..f3821d1f7 100644
--- a/pkg/specgen/generate/security.go
+++ b/pkg/specgen/generate/security.go
@@ -67,7 +67,7 @@ func securityConfigureGenerator(s *specgen.SpecGenerator, g *generate.Generator,
g.SetupPrivileged(true)
caplist = capabilities.AllCapabilities()
} else {
- caplist, err = rtc.Capabilities(s.User, s.CapAdd, s.CapDrop)
+ caplist, err = capabilities.MergeCapabilities(rtc.Containers.DefaultCapabilities, s.CapAdd, s.CapDrop)
if err != nil {
return err
}
@@ -107,10 +107,18 @@ func securityConfigureGenerator(s *specgen.SpecGenerator, g *generate.Generator,
}
configSpec := g.Config
configSpec.Process.Capabilities.Bounding = caplist
- configSpec.Process.Capabilities.Permitted = caplist
- configSpec.Process.Capabilities.Inheritable = caplist
- configSpec.Process.Capabilities.Effective = caplist
- configSpec.Process.Capabilities.Ambient = caplist
+
+ if s.User == "" || s.User == "root" || s.User == "0" {
+ configSpec.Process.Capabilities.Effective = caplist
+ configSpec.Process.Capabilities.Permitted = caplist
+ configSpec.Process.Capabilities.Inheritable = caplist
+ configSpec.Process.Capabilities.Ambient = caplist
+ } else {
+ configSpec.Process.Capabilities.Effective = []string{}
+ configSpec.Process.Capabilities.Permitted = []string{}
+ configSpec.Process.Capabilities.Inheritable = []string{}
+ configSpec.Process.Capabilities.Ambient = []string{}
+ }
// HANDLE SECCOMP
if s.SeccompProfilePath != "unconfined" {
seccompConfig, err := getSeccompConfig(s, configSpec, newImage)