From 3848cac86052369c35a76f86a1f8e5471dfdf9e2 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Mon, 17 Aug 2020 06:28:45 -0400 Subject: In podman 1.* regression on --cap-add In podman 1.0 if you executed a command like: podman run --user dwalsh --cap-add net_bind_service alpine nc -l 80 It would work, and the user dwalsh would get the capability, in podman 2.0, only root and the binding set gets the capability. This change restores us back to the way podman 1.0 worked. Signed-off-by: Daniel J Walsh --- pkg/specgen/generate/security.go | 26 ++++++++++++++------------ 1 file changed, 14 insertions(+), 12 deletions(-) (limited to 'pkg') diff --git a/pkg/specgen/generate/security.go b/pkg/specgen/generate/security.go index 5e4cc3399..d3e3d9278 100644 --- a/pkg/specgen/generate/security.go +++ b/pkg/specgen/generate/security.go @@ -112,7 +112,7 @@ func securityConfigureGenerator(s *specgen.SpecGenerator, g *generate.Generator, // Pass capRequiredRequested in CapAdd field to normalize capabilities names capsRequired, err := capabilities.MergeCapabilities(nil, capsRequiredRequested, nil) if err != nil { - logrus.Errorf("capabilities requested by user or image are not valid: %q", strings.Join(capsRequired, ",")) + return errors.Wrapf(err, "capabilities requested by user or image are not valid: %q", strings.Join(capsRequired, ",")) } else { // Verify all capRequiered are in the capList for _, cap := range capsRequired { @@ -129,12 +129,6 @@ func securityConfigureGenerator(s *specgen.SpecGenerator, g *generate.Generator, } } - g.SetProcessNoNewPrivileges(s.NoNewPrivileges) - - if err := setupApparmor(s, rtc, g); err != nil { - return err - } - configSpec := g.Config configSpec.Process.Capabilities.Bounding = caplist @@ -142,13 +136,21 @@ func securityConfigureGenerator(s *specgen.SpecGenerator, g *generate.Generator, configSpec.Process.Capabilities.Effective = caplist configSpec.Process.Capabilities.Permitted = caplist configSpec.Process.Capabilities.Inheritable = caplist - configSpec.Process.Capabilities.Ambient = caplist } else { - configSpec.Process.Capabilities.Effective = []string{} - configSpec.Process.Capabilities.Permitted = []string{} - configSpec.Process.Capabilities.Inheritable = []string{} - configSpec.Process.Capabilities.Ambient = []string{} + userCaps, err := capabilities.NormalizeCapabilities(s.CapAdd) + if err != nil { + return errors.Wrapf(err, "capabilities requested by user are not valid: %q", strings.Join(s.CapAdd, ",")) + } + configSpec.Process.Capabilities.Effective = userCaps + configSpec.Process.Capabilities.Permitted = userCaps } + + g.SetProcessNoNewPrivileges(s.NoNewPrivileges) + + if err := setupApparmor(s, rtc, g); err != nil { + return err + } + // HANDLE SECCOMP if s.SeccompProfilePath != "unconfined" { seccompConfig, err := getSeccompConfig(s, configSpec, newImage) -- cgit v1.2.3-54-g00ecf