diff options
author | Daniel J Walsh <dwalsh@redhat.com> | 2020-06-17 10:43:36 -0400 |
---|---|---|
committer | Daniel J Walsh <dwalsh@redhat.com> | 2020-06-17 17:20:53 -0400 |
commit | fe69aa9ba385f5d44b95f549b6b223589131c1f7 (patch) | |
tree | 36b1e037179388b4666e86f39f10eb8399fdd61f /pkg/specgen | |
parent | 7b00e49f657305f233e4e29613821305bf4d2962 (diff) | |
download | podman-fe69aa9ba385f5d44b95f549b6b223589131c1f7.tar.gz podman-fe69aa9ba385f5d44b95f549b6b223589131c1f7.tar.bz2 podman-fe69aa9ba385f5d44b95f549b6b223589131c1f7.zip |
Handle dropping capabilties correctly when running as non root user
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Diffstat (limited to 'pkg/specgen')
-rw-r--r-- | pkg/specgen/generate/security.go | 18 |
1 files changed, 13 insertions, 5 deletions
diff --git a/pkg/specgen/generate/security.go b/pkg/specgen/generate/security.go index d2229b06f..f3821d1f7 100644 --- a/pkg/specgen/generate/security.go +++ b/pkg/specgen/generate/security.go @@ -67,7 +67,7 @@ func securityConfigureGenerator(s *specgen.SpecGenerator, g *generate.Generator, g.SetupPrivileged(true) caplist = capabilities.AllCapabilities() } else { - caplist, err = rtc.Capabilities(s.User, s.CapAdd, s.CapDrop) + caplist, err = capabilities.MergeCapabilities(rtc.Containers.DefaultCapabilities, s.CapAdd, s.CapDrop) if err != nil { return err } @@ -107,10 +107,18 @@ func securityConfigureGenerator(s *specgen.SpecGenerator, g *generate.Generator, } configSpec := g.Config configSpec.Process.Capabilities.Bounding = caplist - configSpec.Process.Capabilities.Permitted = caplist - configSpec.Process.Capabilities.Inheritable = caplist - configSpec.Process.Capabilities.Effective = caplist - configSpec.Process.Capabilities.Ambient = caplist + + if s.User == "" || s.User == "root" || s.User == "0" { + configSpec.Process.Capabilities.Effective = caplist + configSpec.Process.Capabilities.Permitted = caplist + configSpec.Process.Capabilities.Inheritable = caplist + configSpec.Process.Capabilities.Ambient = caplist + } else { + configSpec.Process.Capabilities.Effective = []string{} + configSpec.Process.Capabilities.Permitted = []string{} + configSpec.Process.Capabilities.Inheritable = []string{} + configSpec.Process.Capabilities.Ambient = []string{} + } // HANDLE SECCOMP if s.SeccompProfilePath != "unconfined" { seccompConfig, err := getSeccompConfig(s, configSpec, newImage) |