containers
/
podman
mirror of https://github.com/containers/podman.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

security: use the bounding caps with --privileged 

when --privileged is used, make sure to not request more capabilities
than currently available in the current context.

[NO TESTS NEEDED] since it fixes existing tests.

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
This commit is contained in:
Giuseppe Scrivano 2021-03-19 12:10:33 +01:00
parent f46b34ecd2
commit e85cf8f4a2
No known key found for this signature in database
GPG Key ID: E4730F97F60286ED
2 changed files with 38 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
libpod/oci_conmon_linux.go
View File

@ -1268,7 +1268,10 @@ func prepareProcessExec(c *Container, options *ExecOptions, env []string, sessio
return nil, err return nil, err
} }
allCaps := capabilities.AllCapabilities() allCaps, err := capabilities.BoundingSet()
if err != nil {
return nil, err
}
if options.Privileged { if options.Privileged {
pspec.Capabilities.Bounding = allCaps pspec.Capabilities.Bounding = allCaps
} else { } else {

38
pkg/specgen/generate/security.go
View File

@ -89,12 +89,28 @@ func securityConfigureGenerator(s *specgen.SpecGenerator, g *generate.Generator,
// NOTE: Must happen before SECCOMP // NOTE: Must happen before SECCOMP
if s.Privileged { if s.Privileged {
g.SetupPrivileged(true) g.SetupPrivileged(true)
caplist = capabilities.AllCapabilities() caplist, err = capabilities.BoundingSet()
} else {
caplist, err = capabilities.MergeCapabilities(rtc.Containers.DefaultCapabilities, s.CapAdd, s.CapDrop)
if err != nil { if err != nil {
return err return err
} }
} else {
mergedCaps, err := capabilities.MergeCapabilities(rtc.Containers.DefaultCapabilities, s.CapAdd, s.CapDrop)
if err != nil {
return err
}
boundingSet, err := capabilities.BoundingSet()
if err != nil {
return err
}
boundingCaps := make(map[string]interface{})
for _, b := range boundingSet {
boundingCaps[b] = b
}
for _, c := range mergedCaps {
if _, ok := boundingCaps[c]; ok {
caplist = append(caplist, c)
}
}
privCapsRequired := []string{} privCapsRequired := []string{}
@ -139,10 +155,24 @@ func securityConfigureGenerator(s *specgen.SpecGenerator, g *generate.Generator,
configSpec.Process.Capabilities.Permitted = caplist configSpec.Process.Capabilities.Permitted = caplist
configSpec.Process.Capabilities.Inheritable = caplist configSpec.Process.Capabilities.Inheritable = caplist
} else { } else {
userCaps, err := capabilities.MergeCapabilities(nil, s.CapAdd, nil) mergedCaps, err := capabilities.MergeCapabilities(nil, s.CapAdd, nil)
if err != nil { if err != nil {
return errors.Wrapf(err, "capabilities requested by user are not valid: %q", strings.Join(s.CapAdd, ",")) return errors.Wrapf(err, "capabilities requested by user are not valid: %q", strings.Join(s.CapAdd, ","))
} }
boundingSet, err := capabilities.BoundingSet()
if err != nil {
return err
}
boundingCaps := make(map[string]interface{})
for _, b := range boundingSet {
boundingCaps[b] = b
}
var userCaps []string
for _, c := range mergedCaps {
if _, ok := boundingCaps[c]; ok {
userCaps = append(userCaps, c)
}
}
configSpec.Process.Capabilities.Effective = userCaps configSpec.Process.Capabilities.Effective = userCaps
configSpec.Process.Capabilities.Permitted = userCaps configSpec.Process.Capabilities.Permitted = userCaps
configSpec.Process.Capabilities.Inheritable = userCaps configSpec.Process.Capabilities.Inheritable = userCaps