From 7b368768c2990b9781b2b6813e1c7f91c7e6cb13 Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano Date: Mon, 28 Feb 2022 09:48:52 +0100 Subject: do not set the inheritable capabilities The kernel never sets the inheritable capabilities for a process, they are only set by userspace. Emulate the same behavior. Closes: CVE-2022-27649 Signed-off-by: Giuseppe Scrivano (cherry picked from commit aafa80918a245edcbdaceb1191d749570f1872d0) --- test/e2e/run_test.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'test') diff --git a/test/e2e/run_test.go b/test/e2e/run_test.go index 91a2eddad..f4a6e5733 100644 --- a/test/e2e/run_test.go +++ b/test/e2e/run_test.go @@ -498,7 +498,7 @@ var _ = Describe("Podman run", func() { session = podmanTest.Podman([]string{"run", "--rm", "--user", "root", ALPINE, "grep", "CapInh", "/proc/self/status"}) session.WaitWithDefaultTimeout() Expect(session).Should(Exit(0)) - Expect(session.OutputToString()).To(ContainSubstring("00000000a80425fb")) + Expect(session.OutputToString()).To(ContainSubstring("0000000000000000")) session = podmanTest.Podman([]string{"run", "--rm", ALPINE, "grep", "CapBnd", "/proc/self/status"}) session.WaitWithDefaultTimeout() @@ -533,7 +533,7 @@ var _ = Describe("Podman run", func() { session = podmanTest.Podman([]string{"run", "--user=0:0", "--cap-add=DAC_OVERRIDE", "--rm", ALPINE, "grep", "CapInh", "/proc/self/status"}) session.WaitWithDefaultTimeout() Expect(session).Should(Exit(0)) - Expect(session.OutputToString()).To(ContainSubstring("00000000a80425fb")) + Expect(session.OutputToString()).To(ContainSubstring("0000000000000000")) if os.Geteuid() > 0 { if os.Getenv("SKIP_USERNS") != "" { @@ -550,7 +550,7 @@ var _ = Describe("Podman run", func() { session = podmanTest.Podman([]string{"run", "--userns=keep-id", "--privileged", "--rm", ALPINE, "grep", "CapInh", "/proc/self/status"}) session.WaitWithDefaultTimeout() Expect(session).Should(Exit(0)) - Expect(session.OutputToString()).To(ContainSubstring("0000000000000000")) + Expect(session.OutputToString()).To(ContainSubstring("0000000000000002")) session = podmanTest.Podman([]string{"run", "--userns=keep-id", "--cap-add=DAC_OVERRIDE", "--rm", ALPINE, "grep", "CapInh", "/proc/self/status"}) session.WaitWithDefaultTimeout() -- cgit v1.2.3-54-g00ecf From e7b7fcbd8a8bfc71ce4d038fe50fee59ac26ca45 Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano Date: Fri, 25 Mar 2022 15:50:26 +0100 Subject: test: fix podman run test as rootless aafa80918a245edcbdaceb1191d749570f1872d0 introduced the regression. Signed-off-by: Giuseppe Scrivano (cherry picked from commit 640c2d53a88f46e997d4e5a594cfc85a57e74d36) --- test/e2e/run_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'test') diff --git a/test/e2e/run_test.go b/test/e2e/run_test.go index f4a6e5733..81dcc4342 100644 --- a/test/e2e/run_test.go +++ b/test/e2e/run_test.go @@ -550,7 +550,7 @@ var _ = Describe("Podman run", func() { session = podmanTest.Podman([]string{"run", "--userns=keep-id", "--privileged", "--rm", ALPINE, "grep", "CapInh", "/proc/self/status"}) session.WaitWithDefaultTimeout() Expect(session).Should(Exit(0)) - Expect(session.OutputToString()).To(ContainSubstring("0000000000000002")) + Expect(session.OutputToString()).To(ContainSubstring("0000000000000000")) session = podmanTest.Podman([]string{"run", "--userns=keep-id", "--cap-add=DAC_OVERRIDE", "--rm", ALPINE, "grep", "CapInh", "/proc/self/status"}) session.WaitWithDefaultTimeout() -- cgit v1.2.3-54-g00ecf