opensource/podman
1
0
Fork 0
mirror of https://github.com/containers/podman.git synced 2025-06-20 00:51:16 +08:00
Code Issues Packages Projects Releases Wiki Activity

Handle dropping capabilties correctly when running as non root user

Browse Source 
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
This commit is contained in:
Daniel J Walsh
2020-06-17 10:43:36 -04:00
parent 7b00e49f65
commit fe69aa9ba3
3 changed files with 59 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
pkg/specgen/generate/security.go
View File

@ -67,7 +67,7 @@ func securityConfigureGenerator(s *specgen.SpecGenerator, g *generate.Generator,
g.SetupPrivileged(true)
caplist = capabilities.AllCapabilities()
} else {
caplist, err = rtc.Capabilities(s.User, s.CapAdd, s.CapDrop)
caplist, err = capabilities.MergeCapabilities(rtc.Containers.DefaultCapabilities, s.CapAdd, s.CapDrop)
if err != nil {
return err
}
@ -107,10 +107,18 @@ func securityConfigureGenerator(s *specgen.SpecGenerator, g *generate.Generator,
}
configSpec := g.Config
configSpec.Process.Capabilities.Bounding = caplist
configSpec.Process.Capabilities.Permitted = caplist
configSpec.Process.Capabilities.Inheritable = caplist
configSpec.Process.Capabilities.Effective = caplist
configSpec.Process.Capabilities.Ambient = caplist
if s.User == "" || s.User == "root" || s.User == "0" {
configSpec.Process.Capabilities.Effective = caplist
configSpec.Process.Capabilities.Permitted = caplist
configSpec.Process.Capabilities.Inheritable = caplist
configSpec.Process.Capabilities.Ambient = caplist
} else {
configSpec.Process.Capabilities.Effective = []string{}
configSpec.Process.Capabilities.Permitted = []string{}
configSpec.Process.Capabilities.Inheritable = []string{}
configSpec.Process.Capabilities.Ambient = []string{}
}
// HANDLE SECCOMP
if s.SeccompProfilePath != "unconfined" {
seccompConfig, err := getSeccompConfig(s, configSpec, newImage)