diff options
| author | OpenShift Merge Robot <openshift-merge-robot@users.noreply.github.com> | 2020-08-21 19:22:22 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2020-08-21 19:22:22 +0200 |
| commit | e06cb25e813d92de60f0243d00c92b08bcac2ab6 (patch) | |
| tree | 11953b3cbebe7f10dce45cf72a6d56e334228f41 /pkg | |
| parent | 11372c4c4d75d731f346c6be06e41bfe9600ce81 (diff) | |
| parent | 7ed653804cbd9a74156cfa9ec4bbe67887d03884 (diff) | |
| download | podman-e06cb25e813d92de60f0243d00c92b08bcac2ab6.tar.gz podman-e06cb25e813d92de60f0243d00c92b08bcac2ab6.tar.bz2 podman-e06cb25e813d92de60f0243d00c92b08bcac2ab6.zip | |
Merge pull request #7399 from rhatdan/v2.0
In podman 1.* regression on --cap-add
Diffstat (limited to 'pkg')
| -rw-r--r-- | pkg/specgen/generate/security.go | 27 |
1 files changed, 15 insertions, 12 deletions
diff --git a/pkg/specgen/generate/security.go b/pkg/specgen/generate/security.go index 840dcb72d..0edde4588 100644 --- a/pkg/specgen/generate/security.go +++ b/pkg/specgen/generate/security.go @@ -112,7 +112,7 @@ func securityConfigureGenerator(s *specgen.SpecGenerator, g *generate.Generator, // Pass capRequiredRequested in CapAdd field to normalize capabilities names capsRequired, err := capabilities.MergeCapabilities(nil, capsRequiredRequested, nil) if err != nil { - logrus.Errorf("capabilities requested by user or image are not valid: %q", strings.Join(capsRequired, ",")) + return errors.Wrapf(err, "capabilities requested by user or image are not valid: %q", strings.Join(capsRequired, ",")) } else { // Verify all capRequiered are in the capList for _, cap := range capsRequired { @@ -129,12 +129,6 @@ func securityConfigureGenerator(s *specgen.SpecGenerator, g *generate.Generator, } } - g.SetProcessNoNewPrivileges(s.NoNewPrivileges) - - if err := setupApparmor(s, rtc, g); err != nil { - return err - } - configSpec := g.Config configSpec.Process.Capabilities.Bounding = caplist @@ -142,13 +136,22 @@ func securityConfigureGenerator(s *specgen.SpecGenerator, g *generate.Generator, configSpec.Process.Capabilities.Effective = caplist configSpec.Process.Capabilities.Permitted = caplist configSpec.Process.Capabilities.Inheritable = caplist - configSpec.Process.Capabilities.Ambient = caplist } else { - configSpec.Process.Capabilities.Effective = []string{} - configSpec.Process.Capabilities.Permitted = []string{} - configSpec.Process.Capabilities.Inheritable = []string{} - configSpec.Process.Capabilities.Ambient = []string{} + userCaps, err := capabilities.NormalizeCapabilities(s.CapAdd) + if err != nil { + return errors.Wrapf(err, "capabilities requested by user are not valid: %q", strings.Join(s.CapAdd, ",")) + } + configSpec.Process.Capabilities.Effective = userCaps + configSpec.Process.Capabilities.Permitted = userCaps + configSpec.Process.Capabilities.Inheritable = userCaps } + + g.SetProcessNoNewPrivileges(s.NoNewPrivileges) + + if err := setupApparmor(s, rtc, g); err != nil { + return err + } + // HANDLE SECCOMP if s.SeccompProfilePath != "unconfined" { seccompConfig, err := getSeccompConfig(s, configSpec, newImage) |