Cleanup the golangci.yml file and enable more linters.
`pkg/spec` and `iopodman.io` is history. The vendor directory
is excluded by default. The dependencies dir was listed twice.
Fix the reported problems in `pkg/specgen` because that was also
excluded by `pkg/spec`.
Enable the structcheck, typecheck, varcheck, deadcode and depguard
linters.
[NO TESTS NEEDED]
Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
When I launch a container with --userns=keep-id the rootless processes
should have no caps by default even if I launch the container with
--privileged. It should only get the caps if I specify by hand the
caps I want leaked to the process.
Currently we turn off capeff and capamb, but not capinh. This patch
treats capinh the same way as capeff and capamb.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
When running a privileged container and `SeccompProfilePath` is empty no seccomp profile should be applied.
(Previously this was the case only if `SeccompProfilePath` was set to a non-empty default path.)
Closes#8849
Signed-off-by: Max Goltzsche <max.goltzsche@gmail.com>
The existing code prevents containers.conf default sysctls from
being added if the container uses a host namespace. This patch
expands that to not just host namespaces, but also *shared*
namespaces - so we never modify another container's (or a pod's)
namespaces without being explicitly directed to do so by the
user.
Signed-off-by: Matthew Heon <mheon@redhat.com>
Handle the ALL Flag when running with an account as a user.
Currently we throw an error when the user specifies
podman run --user bin --cap-add all fedora echo hello
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
if --userns=keep-id is specified and not --user is specified, take the
unprivileged capabilities code path so that ambient capabilities are
honored in the container.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
if the kernel supports ambient capabilities (Linux 4.3+), also set
them when running with euid != 0.
This is different that what Moby does, as ambient capabilities are
never set.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
change capabilities handling to reflect what docker does.
Bounding: set to caplist
Inheritable: set to caplist
Effective: if uid != 0 then clear; else set to caplist
Permitted: if uid != 0 then clear; else set to caplist
Ambient: clear
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
If user sets namespace to host, then default sysctls need to be ignored
that are specific to that namespace.
--net=host ignore sysctls that begin with net.
--ipc=host ignore fs.mqueue
--uts=host ignore kernel.domainname and kernel.hostname
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
If we select "unconfined" as AppArmor profile, then we should not error
even if the host does not support it at all. This behavior has been
fixed and a corresponding e2e test has been added as well.
Signed-off-by: Sascha Grunert <sgrunert@suse.com>
In podman 1.0 if you executed a command like:
podman run --user dwalsh --cap-add net_bind_service alpine nc -l 80
It would work, and the user dwalsh would get the capability, in
podman 2.0, only root and the binding set gets the capability.
This change restores us back to the way podman 1.0 worked.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
To sync the behavior between AppArmor and seccomp it is now possible to
also specify seccomp profiles for privileged containers.
Signed-off-by: Sascha Grunert <sgrunert@suse.com>
Currently you can not apply an ApparmorProfile if you specify
--privileged. This patch will allow both to be specified
simultaniosly.
By default Apparmor should be disabled if the user
specifies --privileged, but if the user specifies --security apparmor:PROFILE,
with --privileged, we should do both.
Added e2e run_apparmor_test.go
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
With the advent of Podman 2.0.0 we crossed the magical barrier of go
modules. While we were able to continue importing all packages inside
of the project, the project could not be vendored anymore from the
outside.
Move the go module to new major version and change all imports to
`github.com/containers/libpod/v2`. The renaming of the imports
was done via `gomove` [1].
[1] https://github.com/KSubedi/gomove
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
If user sets capabilities list we need handle minimal capabilities.
Also handle seccomp-policy being passed in.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Paul Holzinger
Daniel J Walsh
OpenShift Merge Robot
Max Goltzsche
Josh Soref
Matthew Heon
Giuseppe Scrivano
Sascha Grunert
Valentin Rothberg
Brent Baude