diff options
| author | OpenShift Merge Robot <openshift-merge-robot@users.noreply.github.com> | 2021-03-19 16:00:32 -0700 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-03-19 16:00:32 -0700 |
| commit | ebc9871c9358b41daefc37e5db8119f596770cb7 (patch) | |
| tree | 2ea4b54edf71e94d8a37918b8658326b1d194772 /pkg | |
| parent | 5325957d536be3515fb7a782e4755afca38fca4c (diff) | |
| parent | adf652e2a1a67a8c70840fb9dfbc796f5b5b3c03 (diff) | |
| download | podman-ebc9871c9358b41daefc37e5db8119f596770cb7.tar.gz podman-ebc9871c9358b41daefc37e5db8119f596770cb7.tar.bz2 podman-ebc9871c9358b41daefc37e5db8119f596770cb7.zip | |
Merge pull request #9762 from giuseppe/use-bounding-caps-for---privileged
security: use the bounding caps with --privileged
Diffstat (limited to 'pkg')
| -rw-r--r-- | pkg/specgen/generate/security.go | 36 |
1 files changed, 33 insertions, 3 deletions
diff --git a/pkg/specgen/generate/security.go b/pkg/specgen/generate/security.go index 56aac8bfd..e0e4a47a4 100644 --- a/pkg/specgen/generate/security.go +++ b/pkg/specgen/generate/security.go @@ -89,12 +89,28 @@ func securityConfigureGenerator(s *specgen.SpecGenerator, g *generate.Generator, // NOTE: Must happen before SECCOMP if s.Privileged { g.SetupPrivileged(true) - caplist = capabilities.AllCapabilities() + caplist, err = capabilities.BoundingSet() + if err != nil { + return err + } } else { - caplist, err = capabilities.MergeCapabilities(rtc.Containers.DefaultCapabilities, s.CapAdd, s.CapDrop) + mergedCaps, err := capabilities.MergeCapabilities(rtc.Containers.DefaultCapabilities, s.CapAdd, s.CapDrop) + if err != nil { + return err + } + boundingSet, err := capabilities.BoundingSet() if err != nil { return err } + boundingCaps := make(map[string]interface{}) + for _, b := range boundingSet { + boundingCaps[b] = b + } + for _, c := range mergedCaps { + if _, ok := boundingCaps[c]; ok { + caplist = append(caplist, c) + } + } privCapsRequired := []string{} @@ -139,10 +155,24 @@ func securityConfigureGenerator(s *specgen.SpecGenerator, g *generate.Generator, configSpec.Process.Capabilities.Permitted = caplist configSpec.Process.Capabilities.Inheritable = caplist } else { - userCaps, err := capabilities.MergeCapabilities(nil, s.CapAdd, nil) + mergedCaps, err := capabilities.MergeCapabilities(nil, s.CapAdd, nil) if err != nil { return errors.Wrapf(err, "capabilities requested by user are not valid: %q", strings.Join(s.CapAdd, ",")) } + boundingSet, err := capabilities.BoundingSet() + if err != nil { + return err + } + boundingCaps := make(map[string]interface{}) + for _, b := range boundingSet { + boundingCaps[b] = b + } + var userCaps []string + for _, c := range mergedCaps { + if _, ok := boundingCaps[c]; ok { + userCaps = append(userCaps, c) + } + } configSpec.Process.Capabilities.Effective = userCaps configSpec.Process.Capabilities.Permitted = userCaps configSpec.Process.Capabilities.Inheritable = userCaps |