From e85cf8f4a2a9fa838087e2b55c93c61f7996b9b7 Mon Sep 17 00:00:00 2001
From: Giuseppe Scrivano <gscrivan@redhat.com>
Date: Fri, 19 Mar 2021 12:10:33 +0100
Subject: security: use the bounding caps with --privileged

when --privileged is used, make sure to not request more capabilities
than currently available in the current context.

[NO TESTS NEEDED] since it fixes existing tests.

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
---
 pkg/specgen/generate/security.go | 36 +++++++++++++++++++++++++++++++++---
 1 file changed, 33 insertions(+), 3 deletions(-)

(limited to 'pkg/specgen')

diff --git a/pkg/specgen/generate/security.go b/pkg/specgen/generate/security.go
index 56aac8bfd..e0e4a47a4 100644
--- a/pkg/specgen/generate/security.go
+++ b/pkg/specgen/generate/security.go
@@ -89,12 +89,28 @@ func securityConfigureGenerator(s *specgen.SpecGenerator, g *generate.Generator,
 	// NOTE: Must happen before SECCOMP
 	if s.Privileged {
 		g.SetupPrivileged(true)
-		caplist = capabilities.AllCapabilities()
+		caplist, err = capabilities.BoundingSet()
+		if err != nil {
+			return err
+		}
 	} else {
-		caplist, err = capabilities.MergeCapabilities(rtc.Containers.DefaultCapabilities, s.CapAdd, s.CapDrop)
+		mergedCaps, err := capabilities.MergeCapabilities(rtc.Containers.DefaultCapabilities, s.CapAdd, s.CapDrop)
+		if err != nil {
+			return err
+		}
+		boundingSet, err := capabilities.BoundingSet()
 		if err != nil {
 			return err
 		}
+		boundingCaps := make(map[string]interface{})
+		for _, b := range boundingSet {
+			boundingCaps[b] = b
+		}
+		for _, c := range mergedCaps {
+			if _, ok := boundingCaps[c]; ok {
+				caplist = append(caplist, c)
+			}
+		}
 
 		privCapsRequired := []string{}
 
@@ -139,10 +155,24 @@ func securityConfigureGenerator(s *specgen.SpecGenerator, g *generate.Generator,
 		configSpec.Process.Capabilities.Permitted = caplist
 		configSpec.Process.Capabilities.Inheritable = caplist
 	} else {
-		userCaps, err := capabilities.MergeCapabilities(nil, s.CapAdd, nil)
+		mergedCaps, err := capabilities.MergeCapabilities(nil, s.CapAdd, nil)
 		if err != nil {
 			return errors.Wrapf(err, "capabilities requested by user are not valid: %q", strings.Join(s.CapAdd, ","))
 		}
+		boundingSet, err := capabilities.BoundingSet()
+		if err != nil {
+			return err
+		}
+		boundingCaps := make(map[string]interface{})
+		for _, b := range boundingSet {
+			boundingCaps[b] = b
+		}
+		var userCaps []string
+		for _, c := range mergedCaps {
+			if _, ok := boundingCaps[c]; ok {
+				userCaps = append(userCaps, c)
+			}
+		}
 		configSpec.Process.Capabilities.Effective = userCaps
 		configSpec.Process.Capabilities.Permitted = userCaps
 		configSpec.Process.Capabilities.Inheritable = userCaps
-- 
cgit v1.2.3-54-g00ecf