mirror of
https://github.com/containers/podman.git
synced 2025-10-20 12:43:58 +08:00
69daa67c43
Ensure that capabilities are properly handled for non-root users in privileged containers. We do not want to give full caps, but instead only CapInh and CapEff (others should be all-zeroes). Fixing `podman run` is easy - the same code as the Podman 1.6 fix works there. The `podman exec` command is far more challenging. Exec received a complete rewrite to use Conmon at some point before Podman 1.6, and gained many capabilities in the process. One of those was the ability to actually tweak the capabilities of the exec process - 1.0 did not have that. Since it was needed to resolve this CVE, I was forced to backport a large bit of the 1.0 -> 1.6 exec changes (passing a Process block to the OCI runtime, and using `prepareProcessExec()` to prepare said block). I am honestly uncomfortable with the size and scope of this change but I don't see another way around this. Fixes CVE-2021-20188 Signed-off-by: Matthew Heon <mheon@redhat.com>