opensource/podman
1
0
Fork 0
mirror of https://github.com/containers/podman.git synced 2025-08-06 03:19:52 +08:00
Code Issues Packages Projects Releases Wiki Activity

security: use the bounding caps with --privileged

Browse Source 
when --privileged is used, make sure to not request more capabilities
than currently available in the current context.

[NO TESTS NEEDED] since it fixes existing tests.

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
This commit is contained in:
Giuseppe Scrivano
2021-03-19 12:10:33 +01:00
parent f46b34ecd2
commit e85cf8f4a2
2 changed files with 38 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

38
pkg/specgen/generate/security.go
View File

@ -89,12 +89,28 @@ func securityConfigureGenerator(s *specgen.SpecGenerator, g *generate.Generator,
// NOTE: Must happen before SECCOMP
if s.Privileged {
g.SetupPrivileged(true)
caplist = capabilities.AllCapabilities()
} else {
caplist, err = capabilities.MergeCapabilities(rtc.Containers.DefaultCapabilities, s.CapAdd, s.CapDrop)
caplist, err = capabilities.BoundingSet()
if err != nil {
return err
}
} else {
mergedCaps, err := capabilities.MergeCapabilities(rtc.Containers.DefaultCapabilities, s.CapAdd, s.CapDrop)
if err != nil {
return err
}
boundingSet, err := capabilities.BoundingSet()
if err != nil {
return err
}
boundingCaps := make(map[string]interface{})
for _, b := range boundingSet {
boundingCaps[b] = b
}
for _, c := range mergedCaps {
if _, ok := boundingCaps[c]; ok {
caplist = append(caplist, c)
}
}
privCapsRequired := []string{}
@ -139,10 +155,24 @@ func securityConfigureGenerator(s *specgen.SpecGenerator, g *generate.Generator,
configSpec.Process.Capabilities.Permitted = caplist
configSpec.Process.Capabilities.Inheritable = caplist
} else {
userCaps, err := capabilities.MergeCapabilities(nil, s.CapAdd, nil)
mergedCaps, err := capabilities.MergeCapabilities(nil, s.CapAdd, nil)
if err != nil {
return errors.Wrapf(err, "capabilities requested by user are not valid: %q", strings.Join(s.CapAdd, ","))
}
boundingSet, err := capabilities.BoundingSet()
if err != nil {
return err
}
boundingCaps := make(map[string]interface{})
for _, b := range boundingSet {
boundingCaps[b] = b
}
var userCaps []string
for _, c := range mergedCaps {
if _, ok := boundingCaps[c]; ok {
userCaps = append(userCaps, c)
}
}
configSpec.Process.Capabilities.Effective = userCaps
configSpec.Process.Capabilities.Permitted = userCaps
configSpec.Process.Capabilities.Inheritable = userCaps