opensource/podman
1
0
Fork 0
mirror of https://github.com/containers/podman.git synced 2025-09-11 00:54:42 +08:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #19871 from giuseppe/accept-empty-capabilities

Browse Source 
security: accept empty capabilities list
This commit is contained in:
OpenShift Merge Robot
2023-09-06 17:16:52 +02:00
committed by GitHub
parent 2806378c1a 30abd7f1af
commit af17ddaeed
2 changed files with 20 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
pkg/specgen/generate/security_linux.go
View File

@ -125,7 +125,9 @@ func securityConfigureGenerator(s *specgen.SpecGenerator, g *generate.Generator,
capsRequiredRequested = strings.Split(val, ",") capsRequiredRequested = strings.Split(val, ",")
} }
} }
if !s.Privileged && len(capsRequiredRequested) > 0 { if !s.Privileged && len(capsRequiredRequested) == 1 && capsRequiredRequested[0] == "" {
caplist = []string{}
} else if !s.Privileged && len(capsRequiredRequested) > 0 {
// Pass capRequiredRequested in CapAdd field to normalize capabilities names // Pass capRequiredRequested in CapAdd field to normalize capabilities names
capsRequired, err := capabilities.MergeCapabilities(nil, capsRequiredRequested, nil) capsRequired, err := capabilities.MergeCapabilities(nil, capsRequiredRequested, nil)
if err != nil { if err != nil {

17
test/e2e/run_security_labels_test.go
View File

@ -11,6 +11,23 @@ import (
var _ = Describe("Podman generate kube", func() { var _ = Describe("Podman generate kube", func() {
It("podman empty security labels", func() {
test1 := podmanTest.Podman([]string{"create", "--label", "io.containers.capabilities=", "--name", "test1", "alpine", "echo", "test1"})
test1.WaitWithDefaultTimeout()
Expect(test1).Should(Exit(0))
inspect := podmanTest.Podman([]string{"inspect", "test1"})
inspect.WaitWithDefaultTimeout()
Expect(inspect).Should(Exit(0))
ctr := inspect.InspectContainerToJSON()
Expect(ctr[0].EffectiveCaps).To(BeNil())
test2 := podmanTest.Podman([]string{"run", "--label", "io.containers.capabilities=", "alpine", "grep", "^CapEff", "/proc/self/status"})
test2.WaitWithDefaultTimeout()
Expect(test2.OutputToString()).To(ContainSubstring("0000000000000000"))
})
It("podman security labels", func() { It("podman security labels", func() {
test1 := podmanTest.Podman([]string{"create", "--label", "io.containers.capabilities=setuid,setgid", "--name", "test1", "alpine", "echo", "test1"}) test1 := podmanTest.Podman([]string{"create", "--label", "io.containers.capabilities=setuid,setgid", "--name", "test1", "alpine", "echo", "test1"})
test1.WaitWithDefaultTimeout() test1.WaitWithDefaultTimeout()