Skip to content

Commit

Permalink
Clear all caps, except the bounding set, when --user is specified.
Browse files Browse the repository at this point in the history
Currently we are giving all caps to users when running with podman run --user,
They should get none by default.  If the command line includes --cap-add, then
we need to run with those capabilties.  Similarly we need to drop caps from
bounding set, if user specifies --cap-drop

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>

Closes: #851
Approved by: mheon
  • Loading branch information
rhatdan authored and rh-atomic-bot committed May 31, 2018
1 parent e6b088f commit bae80a0
Show file tree
Hide file tree
Showing 2 changed files with 28 additions and 0 deletions.
19 changes: 19 additions & 0 deletions pkg/spec/spec.go
Original file line number Diff line number Diff line change
Expand Up @@ -388,8 +388,19 @@ func addRlimits(config *CreateConfig, g *generate.Generator) error {
}

func setupCapabilities(config *CreateConfig, configSpec *spec.Spec) error {
useNotRoot := func(user string) bool {
if user == "" || user == "root" || user == "0" {
return false
}
return true
}

var err error
var caplist []string
bounding := configSpec.Process.Capabilities.Bounding
if useNotRoot(config.User) {
configSpec.Process.Capabilities.Bounding = caplist
}
caplist, err = caps.TweakCapabilities(configSpec.Process.Capabilities.Bounding, config.CapAdd, config.CapDrop)
if err != nil {
return err
Expand All @@ -399,6 +410,14 @@ func setupCapabilities(config *CreateConfig, configSpec *spec.Spec) error {
configSpec.Process.Capabilities.Permitted = caplist
configSpec.Process.Capabilities.Inheritable = caplist
configSpec.Process.Capabilities.Effective = caplist
configSpec.Process.Capabilities.Ambient = caplist
if useNotRoot(config.User) {
caplist, err = caps.TweakCapabilities(bounding, config.CapAdd, config.CapDrop)
if err != nil {
return err
}
}
configSpec.Process.Capabilities.Bounding = caplist
return nil
}

Expand Down
9 changes: 9 additions & 0 deletions test/e2e/run_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ import (
"io/ioutil"
"os"
"path/filepath"
"strings"

"github.com/mrunalp/fileutils"
. "github.com/onsi/ginkgo"
Expand Down Expand Up @@ -369,6 +370,14 @@ var _ = Describe("Podman run", func() {
Expect(session.OutputToString()).To(Equal("uid=8(mail) gid=21(ftp)"))
})

It("podman run with user, verify caps dropped", func() {
session := podmanTest.Podman([]string{"run", "--rm", "--user=1234", ALPINE, "grep", "CapEff", "/proc/self/status"})
session.WaitWithDefaultTimeout()
Expect(session.ExitCode()).To(Equal(0))
capEff := strings.Split(session.OutputToString(), " ")
Expect("0000000000000000").To(Equal(capEff[1]))
})

It("podman run with attach stdin outputs container ID", func() {
session := podmanTest.Podman([]string{"run", "--attach", "stdin", ALPINE, "printenv"})
session.WaitWithDefaultTimeout()
Expand Down

0 comments on commit bae80a0

Please sign in to comment.