summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--libpod/container_exec.go10
-rw-r--r--libpod/container_internal_linux.go8
-rw-r--r--libpod/container_log.go2
-rw-r--r--libpod/oci.go4
-rw-r--r--libpod/oci_conmon_exec_linux.go4
-rw-r--r--libpod/oci_conmon_linux.go34
-rw-r--r--pkg/rootless/rootless.go153
-rw-r--r--pkg/rootless/rootless_test.go101
-rw-r--r--pkg/specgen/generate/security.go3
-rw-r--r--test/e2e/common_test.go14
-rw-r--r--test/e2e/exec_test.go190
-rw-r--r--test/e2e/run_test.go29
12 files changed, 504 insertions, 48 deletions
diff --git a/libpod/container_exec.go b/libpod/container_exec.go
index fce26acb0..5aee847e1 100644
--- a/libpod/container_exec.go
+++ b/libpod/container_exec.go
@@ -8,7 +8,6 @@ import (
"strconv"
"time"
- "github.com/containers/common/pkg/capabilities"
"github.com/containers/podman/v2/libpod/define"
"github.com/containers/podman/v2/libpod/events"
"github.com/containers/storage/pkg/stringid"
@@ -973,20 +972,12 @@ func (c *Container) removeAllExecSessions() error {
// Make an ExecOptions struct to start the OCI runtime and prepare its exec
// bundle.
func prepareForExec(c *Container, session *ExecSession) (*ExecOptions, error) {
- // TODO: check logic here - should we set Privileged if the container is
- // privileged?
- var capList []string
- if session.Config.Privileged || c.config.Privileged {
- capList = capabilities.AllCapabilities()
- }
-
if err := c.createExecBundle(session.ID()); err != nil {
return nil, err
}
opts := new(ExecOptions)
opts.Cmd = session.Config.Command
- opts.CapAdd = capList
opts.Env = session.Config.Environment
opts.Terminal = session.Config.Terminal
opts.Cwd = session.Config.WorkDir
@@ -995,6 +986,7 @@ func prepareForExec(c *Container, session *ExecSession) (*ExecOptions, error) {
opts.DetachKeys = session.Config.DetachKeys
opts.ExitCommand = session.Config.ExitCommand
opts.ExitCommandDelay = session.Config.ExitCommandDelay
+ opts.Privileged = session.Config.Privileged
return opts, nil
}
diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go
index cefe12209..bc8f0f932 100644
--- a/libpod/container_internal_linux.go
+++ b/libpod/container_internal_linux.go
@@ -529,6 +529,13 @@ func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) {
}
}
+ availableUIDs, availableGIDs, err := rootless.GetAvailableIDMaps()
+ if err != nil {
+ return nil, err
+ }
+ g.Config.Linux.UIDMappings = rootless.MaybeSplitMappings(g.Config.Linux.UIDMappings, availableUIDs)
+ g.Config.Linux.GIDMappings = rootless.MaybeSplitMappings(g.Config.Linux.GIDMappings, availableGIDs)
+
// Hostname handling:
// If we have a UTS namespace, set Hostname in the OCI spec.
// Set the HOSTNAME environment variable unless explicitly overridden by
@@ -536,6 +543,7 @@ func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) {
// set it to the host's hostname instead.
hostname := c.Hostname()
foundUTS := false
+
for _, i := range c.config.Spec.Linux.Namespaces {
if i.Type == spec.UTSNamespace && i.Path == "" {
foundUTS = true
diff --git a/libpod/container_log.go b/libpod/container_log.go
index e58503bd3..f16e08353 100644
--- a/libpod/container_log.go
+++ b/libpod/container_log.go
@@ -82,7 +82,7 @@ func (c *Container) readFromLogFile(ctx context.Context, options *logs.LogOption
if nll.Partial() {
partial += nll.Msg
continue
- } else if !nll.Partial() && len(partial) > 1 {
+ } else if !nll.Partial() && len(partial) > 0 {
nll.Msg = partial + nll.Msg
partial = ""
}
diff --git a/libpod/oci.go b/libpod/oci.go
index 157c42c38..6948e6425 100644
--- a/libpod/oci.go
+++ b/libpod/oci.go
@@ -151,8 +151,6 @@ type OCIRuntime interface {
type ExecOptions struct {
// Cmd is the command to execute.
Cmd []string
- // CapAdd is a set of capabilities to add to the executed command.
- CapAdd []string
// Env is a set of environment variables to add to the container.
Env map[string]string
// Terminal is whether to create a new TTY for the exec session.
@@ -181,6 +179,8 @@ type ExecOptions struct {
// ExitCommandDelay is a delay (in seconds) between the exec session
// exiting, and the exit command being invoked.
ExitCommandDelay uint
+ // Privileged indicates the execed process will be launched in Privileged mode
+ Privileged bool
}
// HTTPAttachStreams informs the HTTPAttach endpoint which of the container's
diff --git a/libpod/oci_conmon_exec_linux.go b/libpod/oci_conmon_exec_linux.go
index 4546acefb..d6b63f25e 100644
--- a/libpod/oci_conmon_exec_linux.go
+++ b/libpod/oci_conmon_exec_linux.go
@@ -398,10 +398,6 @@ func (r *ConmonOCIRuntime) startExec(c *Container, sessionID string, options *Ex
args = append(args, formatRuntimeOpts("--preserve-fds", fmt.Sprintf("%d", options.PreserveFDs))...)
}
- for _, capability := range options.CapAdd {
- args = append(args, formatRuntimeOpts("--cap", capability)...)
- }
-
if options.Terminal {
args = append(args, "-t")
}
diff --git a/libpod/oci_conmon_linux.go b/libpod/oci_conmon_linux.go
index e7cb5a802..6b5da439a 100644
--- a/libpod/oci_conmon_linux.go
+++ b/libpod/oci_conmon_linux.go
@@ -22,6 +22,7 @@ import (
"text/template"
"time"
+ "github.com/containers/common/pkg/capabilities"
"github.com/containers/common/pkg/config"
conmonConfig "github.com/containers/conmon/runner/config"
"github.com/containers/podman/v2/libpod/define"
@@ -1201,13 +1202,7 @@ func prepareProcessExec(c *Container, options *ExecOptions, env []string, sessio
}
pspec.SelinuxLabel = c.config.ProcessLabel
pspec.Args = options.Cmd
- for _, cap := range options.CapAdd {
- pspec.Capabilities.Bounding = append(pspec.Capabilities.Bounding, cap)
- pspec.Capabilities.Effective = append(pspec.Capabilities.Effective, cap)
- pspec.Capabilities.Inheritable = append(pspec.Capabilities.Inheritable, cap)
- pspec.Capabilities.Permitted = append(pspec.Capabilities.Permitted, cap)
- pspec.Capabilities.Ambient = append(pspec.Capabilities.Ambient, cap)
- }
+
// We need to default this to false else it will inherit terminal as true
// from the container.
pspec.Terminal = false
@@ -1263,6 +1258,31 @@ func prepareProcessExec(c *Container, options *ExecOptions, env []string, sessio
pspec.User = processUser
}
+ ctrSpec, err := c.specFromState()
+ if err != nil {
+ return nil, err
+ }
+
+ allCaps := capabilities.AllCapabilities()
+ if options.Privileged {
+ pspec.Capabilities.Bounding = allCaps
+ } else {
+ pspec.Capabilities.Bounding = ctrSpec.Process.Capabilities.Bounding
+ }
+ if execUser.Uid == 0 {
+ pspec.Capabilities.Effective = pspec.Capabilities.Bounding
+ pspec.Capabilities.Inheritable = pspec.Capabilities.Bounding
+ pspec.Capabilities.Permitted = pspec.Capabilities.Bounding
+ pspec.Capabilities.Ambient = pspec.Capabilities.Bounding
+ } else {
+ if user == c.config.User {
+ pspec.Capabilities.Effective = ctrSpec.Process.Capabilities.Effective
+ pspec.Capabilities.Inheritable = ctrSpec.Process.Capabilities.Effective
+ pspec.Capabilities.Permitted = ctrSpec.Process.Capabilities.Effective
+ pspec.Capabilities.Ambient = ctrSpec.Process.Capabilities.Effective
+ }
+ }
+
hasHomeSet := false
for _, s := range pspec.Env {
if strings.HasPrefix(s, "HOME=") {
diff --git a/pkg/rootless/rootless.go b/pkg/rootless/rootless.go
index 799c793d8..df35c0d6b 100644
--- a/pkg/rootless/rootless.go
+++ b/pkg/rootless/rootless.go
@@ -2,10 +2,12 @@ package rootless
import (
"os"
+ "sort"
"sync"
"github.com/containers/storage"
"github.com/opencontainers/runc/libcontainer/user"
+ spec "github.com/opencontainers/runtime-spec/specs-go"
"github.com/pkg/errors"
)
@@ -50,24 +52,151 @@ func TryJoinPauseProcess(pausePidPath string) (bool, int, error) {
}
var (
- availableGids int64
- availableGidsErr error
- availableGidsOnce sync.Once
+ uidMap []user.IDMap
+ uidMapError error
+ uidMapOnce sync.Once
+
+ gidMap []user.IDMap
+ gidMapError error
+ gidMapOnce sync.Once
)
-// GetAvailableGids returns how many GIDs are available in the
+// GetAvailableUidMap returns the UID mappings in the
// current user namespace.
-func GetAvailableGids() (int64, error) {
- availableGidsOnce.Do(func() {
- idMap, err := user.ParseIDMapFile("/proc/self/gid_map")
+func GetAvailableUidMap() ([]user.IDMap, error) {
+ uidMapOnce.Do(func() {
+ var err error
+ uidMap, err = user.ParseIDMapFile("/proc/self/uid_map")
if err != nil {
- availableGidsErr = err
+ uidMapError = err
return
}
- availableGids = int64(0)
- for _, r := range idMap {
- availableGids += r.Count
+ })
+ return uidMap, uidMapError
+}
+
+// GetAvailableGidMap returns the GID mappings in the
+// current user namespace.
+func GetAvailableGidMap() ([]user.IDMap, error) {
+ gidMapOnce.Do(func() {
+ var err error
+ gidMap, err = user.ParseIDMapFile("/proc/self/gid_map")
+ if err != nil {
+ gidMapError = err
+ return
}
})
- return availableGids, availableGidsErr
+ return gidMap, gidMapError
+}
+
+// GetAvailableIDMaps returns the UID and GID mappings in the
+// current user namespace.
+func GetAvailableIDMaps() ([]user.IDMap, []user.IDMap, error) {
+ u, err := GetAvailableUidMap()
+ if err != nil {
+ return nil, nil, err
+ }
+ g, err := GetAvailableGidMap()
+ if err != nil {
+ return nil, nil, err
+ }
+ return u, g, nil
+}
+
+func countAvailableIDs(mappings []user.IDMap) int64 {
+ availableUids := int64(0)
+ for _, r := range mappings {
+ availableUids += r.Count
+ }
+ return availableUids
+}
+
+// GetAvailableUids returns how many UIDs are available in the
+// current user namespace.
+func GetAvailableUids() (int64, error) {
+ uids, err := GetAvailableUidMap()
+ if err != nil {
+ return -1, err
+ }
+
+ return countAvailableIDs(uids), nil
+}
+
+// GetAvailableGids returns how many GIDs are available in the
+// current user namespace.
+func GetAvailableGids() (int64, error) {
+ gids, err := GetAvailableGidMap()
+ if err != nil {
+ return -1, err
+ }
+
+ return countAvailableIDs(gids), nil
+}
+
+// findIDInMappings find the the mapping that contains the specified ID.
+// It assumes availableMappings is sorted by ID.
+func findIDInMappings(id int64, availableMappings []user.IDMap) *user.IDMap {
+ i := sort.Search(len(availableMappings), func(i int) bool {
+ return availableMappings[i].ID >= id
+ })
+ if i < 0 || i >= len(availableMappings) {
+ return nil
+ }
+ r := &availableMappings[i]
+ if id >= r.ID && id < r.ID+r.Count {
+ return r
+ }
+ return nil
+}
+
+// MaybeSplitMappings checks whether the specified OCI mappings are possible
+// in the current user namespace or the specified ranges must be split.
+func MaybeSplitMappings(mappings []spec.LinuxIDMapping, availableMappings []user.IDMap) []spec.LinuxIDMapping {
+ var ret []spec.LinuxIDMapping
+ var overflow spec.LinuxIDMapping
+ overflow.Size = 0
+ consumed := 0
+ sort.Slice(availableMappings, func(i, j int) bool {
+ return availableMappings[i].ID < availableMappings[j].ID
+ })
+ for {
+ cur := overflow
+ // if there is no overflow left from the previous request, get the next one
+ if cur.Size == 0 {
+ if consumed == len(mappings) {
+ // all done
+ return ret
+ }
+ cur = mappings[consumed]
+ consumed++
+ }
+
+ // Find the range where the first specified ID is present
+ r := findIDInMappings(int64(cur.HostID), availableMappings)
+ if r == nil {
+ // The requested range is not available. Just return the original request
+ // and let other layers deal with it.
+ return mappings
+ }
+
+ offsetInRange := cur.HostID - uint32(r.ID)
+
+ usableIDs := uint32(r.Count) - offsetInRange
+
+ // the current range can satisfy the whole request
+ if usableIDs >= cur.Size {
+ // reset the overflow
+ overflow.Size = 0
+ } else {
+ // the current range can satisfy the request partially
+ // so move the rest to overflow
+ overflow.Size = cur.Size - usableIDs
+ overflow.ContainerID = cur.ContainerID + usableIDs
+ overflow.HostID = cur.HostID + usableIDs
+
+ // and cap to the usableIDs count
+ cur.Size = usableIDs
+ }
+ ret = append(ret, cur)
+ }
}
diff --git a/pkg/rootless/rootless_test.go b/pkg/rootless/rootless_test.go
new file mode 100644
index 000000000..ef574099c
--- /dev/null
+++ b/pkg/rootless/rootless_test.go
@@ -0,0 +1,101 @@
+package rootless
+
+import (
+ "reflect"
+ "testing"
+
+ "github.com/opencontainers/runc/libcontainer/user"
+ spec "github.com/opencontainers/runtime-spec/specs-go"
+)
+
+func TestMaybeSplitMappings(t *testing.T) {
+ mappings := []spec.LinuxIDMapping{
+ {
+ ContainerID: 0,
+ HostID: 0,
+ Size: 2,
+ },
+ }
+ desiredMappings := []spec.LinuxIDMapping{
+ {
+ ContainerID: 0,
+ HostID: 0,
+ Size: 1,
+ },
+ {
+ ContainerID: 1,
+ HostID: 1,
+ Size: 1,
+ },
+ }
+ availableMappings := []user.IDMap{
+ {
+ ID: 1,
+ ParentID: 1000000,
+ Count: 65536,
+ },
+ {
+ ID: 0,
+ ParentID: 1000,
+ Count: 1,
+ },
+ }
+ newMappings := MaybeSplitMappings(mappings, availableMappings)
+ if !reflect.DeepEqual(newMappings, desiredMappings) {
+ t.Fatal("wrong mappings generated")
+ }
+
+ mappings = []spec.LinuxIDMapping{
+ {
+ ContainerID: 0,
+ HostID: 0,
+ Size: 2,
+ },
+ }
+ desiredMappings = []spec.LinuxIDMapping{
+ {
+ ContainerID: 0,
+ HostID: 0,
+ Size: 2,
+ },
+ }
+ availableMappings = []user.IDMap{
+ {
+ ID: 0,
+ ParentID: 1000000,
+ Count: 65536,
+ },
+ }
+ newMappings = MaybeSplitMappings(mappings, availableMappings)
+
+ if !reflect.DeepEqual(newMappings, desiredMappings) {
+ t.Fatal("wrong mappings generated")
+ }
+
+ mappings = []spec.LinuxIDMapping{
+ {
+ ContainerID: 0,
+ HostID: 0,
+ Size: 1,
+ },
+ }
+ desiredMappings = []spec.LinuxIDMapping{
+ {
+ ContainerID: 0,
+ HostID: 0,
+ Size: 1,
+ },
+ }
+ availableMappings = []user.IDMap{
+ {
+ ID: 10000,
+ ParentID: 10000,
+ Count: 65536,
+ },
+ }
+
+ newMappings = MaybeSplitMappings(mappings, availableMappings)
+ if !reflect.DeepEqual(newMappings, desiredMappings) {
+ t.Fatal("wrong mappings generated")
+ }
+}
diff --git a/pkg/specgen/generate/security.go b/pkg/specgen/generate/security.go
index 9fceec7b3..390b19beb 100644
--- a/pkg/specgen/generate/security.go
+++ b/pkg/specgen/generate/security.go
@@ -133,13 +133,13 @@ func securityConfigureGenerator(s *specgen.SpecGenerator, g *generate.Generator,
configSpec := g.Config
configSpec.Process.Capabilities.Ambient = []string{}
configSpec.Process.Capabilities.Bounding = caplist
- configSpec.Process.Capabilities.Inheritable = caplist
user := strings.Split(s.User, ":")[0]
if (user == "" && s.UserNS.NSMode != specgen.KeepID) || user == "root" || user == "0" {
configSpec.Process.Capabilities.Effective = caplist
configSpec.Process.Capabilities.Permitted = caplist
+ configSpec.Process.Capabilities.Inheritable = caplist
} else {
userCaps, err := capabilities.MergeCapabilities(nil, s.CapAdd, nil)
if err != nil {
@@ -147,6 +147,7 @@ func securityConfigureGenerator(s *specgen.SpecGenerator, g *generate.Generator,
}
configSpec.Process.Capabilities.Effective = userCaps
configSpec.Process.Capabilities.Permitted = userCaps
+ configSpec.Process.Capabilities.Inheritable = userCaps
// Ambient capabilities were added to Linux 4.3. Set ambient
// capabilities only when the kernel supports them.
diff --git a/test/e2e/common_test.go b/test/e2e/common_test.go
index a076ada6b..18679dd53 100644
--- a/test/e2e/common_test.go
+++ b/test/e2e/common_test.go
@@ -378,10 +378,17 @@ func GetRandomIPAddress() string {
// RunTopContainer runs a simple container in the background that
// runs top. If the name passed != "", it will have a name
func (p *PodmanTestIntegration) RunTopContainer(name string) *PodmanSessionIntegration {
+ return p.RunTopContainerWithArgs(name, nil)
+}
+
+// RunTopContainerWithArgs runs a simple container in the background that
+// runs top. If the name passed != "", it will have a name, command args can also be passed in
+func (p *PodmanTestIntegration) RunTopContainerWithArgs(name string, args []string) *PodmanSessionIntegration {
var podmanArgs = []string{"run"}
if name != "" {
podmanArgs = append(podmanArgs, "--name", name)
}
+ podmanArgs = append(podmanArgs, args...)
podmanArgs = append(podmanArgs, "-d", ALPINE, "top")
return p.Podman(podmanArgs)
}
@@ -538,12 +545,7 @@ func (p *PodmanTestIntegration) CreatePodWithLabels(name string, labels map[stri
}
func (p *PodmanTestIntegration) RunTopContainerInPod(name, pod string) *PodmanSessionIntegration {
- var podmanArgs = []string{"run", "--pod", pod}
- if name != "" {
- podmanArgs = append(podmanArgs, "--name", name)
- }
- podmanArgs = append(podmanArgs, "-d", ALPINE, "top")
- return p.Podman(podmanArgs)
+ return p.RunTopContainerWithArgs(name, []string{"--pod", pod})
}
func (p *PodmanTestIntegration) RunHealthCheck(cid string) error {
diff --git a/test/e2e/exec_test.go b/test/e2e/exec_test.go
index 18737105e..b180d881a 100644
--- a/test/e2e/exec_test.go
+++ b/test/e2e/exec_test.go
@@ -120,18 +120,200 @@ var _ = Describe("Podman exec", func() {
})
It("podman exec --privileged", func() {
- hostCap := SystemExec("awk", []string{"/^CapEff/ { print $2 }", "/proc/self/status"})
- Expect(hostCap.ExitCode()).To(Equal(0))
+ session := podmanTest.Podman([]string{"run", "--privileged", "--rm", ALPINE, "sh", "-c", "grep ^CapBnd /proc/self/status | cut -f 2"})
+ session.WaitWithDefaultTimeout()
+ Expect(session.ExitCode()).To(Equal(0))
+ bndPerms := session.OutputToString()
+
+ session = podmanTest.Podman([]string{"run", "--privileged", "--rm", ALPINE, "sh", "-c", "grep ^CapEff /proc/self/status | cut -f 2"})
+ session.WaitWithDefaultTimeout()
+ Expect(session.ExitCode()).To(Equal(0))
+ effPerms := session.OutputToString()
+
+ setup := podmanTest.RunTopContainer("test-privileged")
+ setup.WaitWithDefaultTimeout()
+ Expect(setup.ExitCode()).To(Equal(0))
+
+ session = podmanTest.Podman([]string{"exec", "--privileged", "test-privileged", "sh", "-c", "grep ^CapEff /proc/self/status | cut -f 2"})
+ session.WaitWithDefaultTimeout()
+ Expect(session.ExitCode()).To(Equal(0))
+ Expect(session.OutputToString()).To(ContainSubstring(effPerms))
+
+ session = podmanTest.Podman([]string{"exec", "--privileged", "test-privileged", "sh", "-c", "grep ^CapBnd /proc/self/status | cut -f 2"})
+ session.WaitWithDefaultTimeout()
+ Expect(session.ExitCode()).To(Equal(0))
+ Expect(session.OutputToString()).To(ContainSubstring(bndPerms))
+
+ })
+
+ It("podman exec --privileged", func() {
+ session := podmanTest.Podman([]string{"run", "--privileged", "--user=bin", "--rm", ALPINE, "sh", "-c", "grep ^CapBnd /proc/self/status | cut -f 2"})
+ session.WaitWithDefaultTimeout()
+ Expect(session.ExitCode()).To(Equal(0))
+ bndPerms := session.OutputToString()
+
+ session = podmanTest.Podman([]string{"run", "--privileged", "--user=bin", "--rm", ALPINE, "sh", "-c", "grep ^CapEff /proc/self/status | cut -f 2"})
+ session.WaitWithDefaultTimeout()
+ Expect(session.ExitCode()).To(Equal(0))
+ effPerms := session.OutputToString()
+
+ setup := podmanTest.RunTopContainer("test-privileged")
+ setup.WaitWithDefaultTimeout()
+ Expect(setup.ExitCode()).To(Equal(0))
+
+ session = podmanTest.Podman([]string{"exec", "--privileged", "--user=bin", "test-privileged", "sh", "-c", "grep ^CapEff /proc/self/status | cut -f 2"})
+ session.WaitWithDefaultTimeout()
+ Expect(session.ExitCode()).To(Equal(0))
+ Expect(session.OutputToString()).To(ContainSubstring(effPerms))
+
+ session = podmanTest.Podman([]string{"exec", "--privileged", "--user=bin", "test-privileged", "sh", "-c", "grep ^CapBnd /proc/self/status | cut -f 2"})
+ session.WaitWithDefaultTimeout()
+ Expect(session.ExitCode()).To(Equal(0))
+ Expect(session.OutputToString()).To(ContainSubstring(bndPerms))
+
+ })
+
+ It("podman exec --privileged", func() {
+ session := podmanTest.Podman([]string{"run", "--privileged", "--rm", ALPINE, "sh", "-c", "grep ^CapBnd /proc/self/status | cut -f 2"})
+ session.WaitWithDefaultTimeout()
+ Expect(session.ExitCode()).To(Equal(0))
+ bndPerms := session.OutputToString()
setup := podmanTest.RunTopContainer("test-privileged")
setup.WaitWithDefaultTimeout()
Expect(setup.ExitCode()).To(Equal(0))
- session := podmanTest.Podman([]string{"exec", "--privileged", "test-privileged", "sh", "-c", "grep ^CapEff /proc/self/status | cut -f 2"})
+ session = podmanTest.Podman([]string{"exec", "--privileged", "--user=bin", "test-privileged", "sh", "-c", "grep ^CapEff /proc/self/status | cut -f 2"})
session.WaitWithDefaultTimeout()
Expect(session.ExitCode()).To(Equal(0))
+ Expect(session.OutputToString()).To(ContainSubstring("00000000"))
+
+ session = podmanTest.Podman([]string{"exec", "--privileged", "--user=bin", "test-privileged", "sh", "-c", "grep ^CapBnd /proc/self/status | cut -f 2"})
+ session.WaitWithDefaultTimeout()
+ Expect(session.ExitCode()).To(Equal(0))
+ Expect(session.OutputToString()).To(ContainSubstring(bndPerms))
+ })
- containerCapMatchesHost(session.OutputToString(), hostCap.OutputToString())
+ It("podman exec --privileged container not running as root", func() {
+ session := podmanTest.Podman([]string{"run", "--privileged", "--rm", ALPINE, "sh", "-c", "grep ^CapBnd /proc/self/status | cut -f 2"})
+ session.WaitWithDefaultTimeout()
+ Expect(session.ExitCode()).To(Equal(0))
+ bndPerms := session.OutputToString()
+
+ setup := podmanTest.RunTopContainerWithArgs("test-privileged", []string{"--user=bin"})
+ setup.WaitWithDefaultTimeout()
+ Expect(setup.ExitCode()).To(Equal(0))
+
+ session = podmanTest.Podman([]string{"exec", "--privileged", "test-privileged", "sh", "-c", "grep ^CapEff /proc/self/status | cut -f 2"})
+ session.WaitWithDefaultTimeout()
+ Expect(session.ExitCode()).To(Equal(0))
+ Expect(session.OutputToString()).To(ContainSubstring("00000000"))
+
+ session = podmanTest.Podman([]string{"exec", "--privileged", "--user=bin", "test-privileged", "sh", "-c", "grep ^CapEff /proc/self/status | cut -f 2"})
+ session.WaitWithDefaultTimeout()
+ Expect(session.ExitCode()).To(Equal(0))
+ Expect(session.OutputToString()).To(ContainSubstring("00000000"))
+
+ session = podmanTest.Podman([]string{"exec", "--privileged", "--user=root", "test-privileged", "sh", "-c", "grep ^CapEff /proc/self/status | cut -f 2"})
+ session.WaitWithDefaultTimeout()
+ Expect(session.ExitCode()).To(Equal(0))
+ Expect(session.OutputToString()).To(ContainSubstring(bndPerms))
+
+ session = podmanTest.Podman([]string{"exec", "--privileged", "--user=bin", "test-privileged", "sh", "-c", "grep ^CapBnd /proc/self/status | cut -f 2"})
+ session.WaitWithDefaultTimeout()
+ Expect(session.ExitCode()).To(Equal(0))
+ Expect(session.OutputToString()).To(ContainSubstring(bndPerms))
+ })
+
+ It("podman exec with user with cap-add", func() {
+ capAdd := "--cap-add=net_bind_service"
+ session := podmanTest.Podman([]string{"run", "--user=bin", capAdd, "--rm", ALPINE, "sh", "-c", "grep ^CapBnd /proc/self/status | cut -f 2"})
+ session.WaitWithDefaultTimeout()
+ Expect(session.ExitCode()).To(Equal(0))
+ bndPerms := session.OutputToString()
+
+ session = podmanTest.Podman([]string{"run", "--user=bin", capAdd, "--rm", ALPINE, "sh", "-c", "grep ^CapEff /proc/self/status | cut -f 2"})
+ session.WaitWithDefaultTimeout()
+ Expect(session.ExitCode()).To(Equal(0))
+ effPerms := session.OutputToString()
+
+ setup := podmanTest.RunTopContainerWithArgs("test-privileged", []string{"--user=bin", capAdd})
+ setup.WaitWithDefaultTimeout()
+ Expect(setup.ExitCode()).To(Equal(0))
+
+ session = podmanTest.Podman([]string{"exec", "test-privileged", "sh", "-c", "grep ^CapBnd /proc/self/status | cut -f 2"})
+ session.WaitWithDefaultTimeout()
+ Expect(session.ExitCode()).To(Equal(0))
+ Expect(session.OutputToString()).To(ContainSubstring(bndPerms))
+
+ session = podmanTest.Podman([]string{"exec", "test-privileged", "sh", "-c", "grep ^CapEff /proc/self/status | cut -f 2"})
+ session.WaitWithDefaultTimeout()
+ Expect(session.ExitCode()).To(Equal(0))
+ Expect(session.OutputToString()).To(ContainSubstring(effPerms))
+ })
+
+ It("podman exec with user with and cap-drop cap-add", func() {
+ capAdd := "--cap-add=net_bind_service"
+ capDrop := "--cap-drop=all"
+ session := podmanTest.Podman([]string{"run", "--user=bin", capDrop, capAdd, "--rm", ALPINE, "sh", "-c", "grep ^CapBnd /proc/self/status | cut -f 2"})
+ session.WaitWithDefaultTimeout()
+ Expect(session.ExitCode()).To(Equal(0))
+ bndPerms := session.OutputToString()
+
+ session = podmanTest.Podman([]string{"run", "--user=bin", capDrop, capAdd, "--rm", ALPINE, "sh", "-c", "grep ^CapEff /proc/self/status | cut -f 2"})
+ session.WaitWithDefaultTimeout()
+ Expect(session.ExitCode()).To(Equal(0))
+ effPerms := session.OutputToString()
+
+ setup := podmanTest.RunTopContainerWithArgs("test-privileged", []string{"--user=bin", capDrop, capAdd})
+ setup.WaitWithDefaultTimeout()
+ Expect(setup.ExitCode()).To(Equal(0))
+
+ session = podmanTest.Podman([]string{"exec", "test-privileged", "sh", "-c", "grep ^CapBnd /proc/self/status | cut -f 2"})
+ session.WaitWithDefaultTimeout()
+ Expect(session.ExitCode()).To(Equal(0))
+ Expect(session.OutputToString()).To(ContainSubstring(bndPerms))
+
+ session = podmanTest.Podman([]string{"exec", "--privileged", "test-privileged", "sh", "-c", "grep ^CapInh /proc/self/status | cut -f 2"})
+ session.WaitWithDefaultTimeout()
+ Expect(session.ExitCode()).To(Equal(0))
+ Expect(session.OutputToString()).To(ContainSubstring(effPerms))
+
+ session = podmanTest.Podman([]string{"exec", "test-privileged", "sh", "-c", "grep ^CapEff /proc/self/status | cut -f 2"})
+ session.WaitWithDefaultTimeout()
+ Expect(session.ExitCode()).To(Equal(0))
+ Expect(session.OutputToString()).To(ContainSubstring(effPerms))
+
+ session = podmanTest.Podman([]string{"exec", "test-privileged", "sh", "-c", "grep ^CapPrm /proc/self/status | cut -f 2"})
+ session.WaitWithDefaultTimeout()
+ Expect(session.ExitCode()).To(Equal(0))
+ Expect(session.OutputToString()).To(ContainSubstring(effPerms))
+
+ session = podmanTest.Podman([]string{"exec", "test-privileged", "sh", "-c", "grep ^CapAmb /proc/self/status | cut -f 2"})
+ session.WaitWithDefaultTimeout()
+ Expect(session.ExitCode()).To(Equal(0))
+ Expect(session.OutputToString()).To(ContainSubstring(effPerms))
+ })
+
+ It("podman exec --privileged with user", func() {
+ session := podmanTest.Podman([]string{"run", "--privileged", "--user=bin", "--rm", ALPINE, "sh", "-c", "grep ^CapBnd /proc/self/status | cut -f 2"})
+ session.WaitWithDefaultTimeout()
+ Expect(session.ExitCode()).To(Equal(0))
+ bindPerms := session.OutputToString()
+
+ setup := podmanTest.RunTopContainerWithArgs("test-privileged", []string{"--privileged", "--user=bin"})
+ setup.WaitWithDefaultTimeout()
+ Expect(setup.ExitCode()).To(Equal(0))
+
+ session = podmanTest.Podman([]string{"exec", "--privileged", "test-privileged", "sh", "-c", "grep ^CapBnd /proc/self/status | cut -f 2"})
+ session.WaitWithDefaultTimeout()
+ Expect(session.ExitCode()).To(Equal(0))
+ Expect(session.OutputToString()).To(ContainSubstring(bindPerms))
+
+ session = podmanTest.Podman([]string{"exec", "--privileged", "test-privileged", "sh", "-c", "grep ^CapEff /proc/self/status | cut -f 2"})
+ session.WaitWithDefaultTimeout()
+ Expect(session.ExitCode()).To(Equal(0))
+ Expect(session.OutputToString()).To(ContainSubstring("0000000000000000"))
})
It("podman exec terminal doesn't hang", func() {
diff --git a/test/e2e/run_test.go b/test/e2e/run_test.go
index 92d7d222e..19060ecdc 100644
--- a/test/e2e/run_test.go
+++ b/test/e2e/run_test.go
@@ -342,6 +342,11 @@ var _ = Describe("Podman run", func() {
Expect(session.ExitCode()).To(Equal(0))
Expect(session.OutputToString()).To(ContainSubstring("0000000000000000"))
+ session = podmanTest.Podman([]string{"run", "--rm", "--user", "bin", ALPINE, "grep", "CapInh", "/proc/self/status"})
+ session.WaitWithDefaultTimeout()
+ Expect(session.ExitCode()).To(Equal(0))
+ Expect(session.OutputToString()).To(ContainSubstring("0000000000000000"))
+
session = podmanTest.Podman([]string{"run", "--rm", "--user", "root", ALPINE, "grep", "CapBnd", "/proc/self/status"})
session.WaitWithDefaultTimeout()
Expect(session.ExitCode()).To(Equal(0))
@@ -352,6 +357,11 @@ var _ = Describe("Podman run", func() {
Expect(session.ExitCode()).To(Equal(0))
Expect(session.OutputToString()).To(ContainSubstring("00000000a80425fb"))
+ session = podmanTest.Podman([]string{"run", "--rm", "--user", "root", ALPINE, "grep", "CapInh", "/proc/self/status"})
+ session.WaitWithDefaultTimeout()
+ Expect(session.ExitCode()).To(Equal(0))
+ Expect(session.OutputToString()).To(ContainSubstring("00000000a80425fb"))
+
session = podmanTest.Podman([]string{"run", "--rm", ALPINE, "grep", "CapBnd", "/proc/self/status"})
session.WaitWithDefaultTimeout()
Expect(session.ExitCode()).To(Equal(0))
@@ -367,10 +377,10 @@ var _ = Describe("Podman run", func() {
Expect(session.ExitCode()).To(Equal(0))
Expect(session.OutputToString()).To(ContainSubstring("0000000000000002"))
- session = podmanTest.Podman([]string{"run", "--user=1000:1000", "--rm", ALPINE, "grep", "CapAmb", "/proc/self/status"})
+ session = podmanTest.Podman([]string{"run", "--user=1000:1000", "--cap-add=DAC_OVERRIDE", "--rm", ALPINE, "grep", "CapInh", "/proc/self/status"})
session.WaitWithDefaultTimeout()
Expect(session.ExitCode()).To(Equal(0))
- Expect(session.OutputToString()).To(ContainSubstring("0000000000000000"))
+ Expect(session.OutputToString()).To(ContainSubstring("0000000000000002"))
session = podmanTest.Podman([]string{"run", "--user=0", "--cap-add=DAC_OVERRIDE", "--rm", ALPINE, "grep", "CapAmb", "/proc/self/status"})
session.WaitWithDefaultTimeout()
@@ -382,6 +392,11 @@ var _ = Describe("Podman run", func() {
Expect(session.ExitCode()).To(Equal(0))
Expect(session.OutputToString()).To(ContainSubstring("0000000000000000"))
+ session = podmanTest.Podman([]string{"run", "--user=0:0", "--cap-add=DAC_OVERRIDE", "--rm", ALPINE, "grep", "CapInh", "/proc/self/status"})
+ session.WaitWithDefaultTimeout()
+ Expect(session.ExitCode()).To(Equal(0))
+ Expect(session.OutputToString()).To(ContainSubstring("00000000a80425fb"))
+
if os.Geteuid() > 0 {
if os.Getenv("SKIP_USERNS") != "" {
Skip("Skip userns tests.")
@@ -393,6 +408,16 @@ var _ = Describe("Podman run", func() {
session.WaitWithDefaultTimeout()
Expect(session.ExitCode()).To(Equal(0))
Expect(session.OutputToString()).To(ContainSubstring("0000000000000002"))
+
+ session = podmanTest.Podman([]string{"run", "--userns=keep-id", "--privileged", "--rm", ALPINE, "grep", "CapInh", "/proc/self/status"})
+ session.WaitWithDefaultTimeout()
+ Expect(session.ExitCode()).To(Equal(0))
+ Expect(session.OutputToString()).To(ContainSubstring("0000000000000000"))
+
+ session = podmanTest.Podman([]string{"run", "--userns=keep-id", "--cap-add=DAC_OVERRIDE", "--rm", ALPINE, "grep", "CapInh", "/proc/self/status"})
+ session.WaitWithDefaultTimeout()
+ Expect(session.ExitCode()).To(Equal(0))
+ Expect(session.OutputToString()).To(ContainSubstring("0000000000000002"))
}
})