From fe69aa9ba385f5d44b95f549b6b223589131c1f7 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Wed, 17 Jun 2020 10:43:36 -0400 Subject: Handle dropping capabilties correctly when running as non root user Signed-off-by: Daniel J Walsh --- pkg/specgen/generate/security.go | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) (limited to 'pkg/specgen/generate') diff --git a/pkg/specgen/generate/security.go b/pkg/specgen/generate/security.go index d2229b06f..f3821d1f7 100644 --- a/pkg/specgen/generate/security.go +++ b/pkg/specgen/generate/security.go @@ -67,7 +67,7 @@ func securityConfigureGenerator(s *specgen.SpecGenerator, g *generate.Generator, g.SetupPrivileged(true) caplist = capabilities.AllCapabilities() } else { - caplist, err = rtc.Capabilities(s.User, s.CapAdd, s.CapDrop) + caplist, err = capabilities.MergeCapabilities(rtc.Containers.DefaultCapabilities, s.CapAdd, s.CapDrop) if err != nil { return err } @@ -107,10 +107,18 @@ func securityConfigureGenerator(s *specgen.SpecGenerator, g *generate.Generator, } configSpec := g.Config configSpec.Process.Capabilities.Bounding = caplist - configSpec.Process.Capabilities.Permitted = caplist - configSpec.Process.Capabilities.Inheritable = caplist - configSpec.Process.Capabilities.Effective = caplist - configSpec.Process.Capabilities.Ambient = caplist + + if s.User == "" || s.User == "root" || s.User == "0" { + configSpec.Process.Capabilities.Effective = caplist + configSpec.Process.Capabilities.Permitted = caplist + configSpec.Process.Capabilities.Inheritable = caplist + configSpec.Process.Capabilities.Ambient = caplist + } else { + configSpec.Process.Capabilities.Effective = []string{} + configSpec.Process.Capabilities.Permitted = []string{} + configSpec.Process.Capabilities.Inheritable = []string{} + configSpec.Process.Capabilities.Ambient = []string{} + } // HANDLE SECCOMP if s.SeccompProfilePath != "unconfined" { seccompConfig, err := getSeccompConfig(s, configSpec, newImage) -- cgit v1.2.3-54-g00ecf