drivers/exec: enable setting allow_caps on exec driver

This PR enables setting allow_caps on the exec driver plugin configuration, as well as cap_add and cap_drop in exec task configuration. These options replicate the functionality already present in the docker task driver. Important: this change also reduces the default set of capabilities enabled by the exec driver to match the default set enabled by the docker driver. Until v1.0.5 the exec task driver would enable all capabilities supported by the operating system. v1.0.5 removed NET_RAW from that list of default capabilities, but left may others which could potentially also be leveraged by compromised tasks. Important: the "root" user is still special cased when used with the exec driver. Older versions of Nomad enabled enabled all capabilities supported by the operating system for tasks set with the root user. To maintain compatibility with existing clusters we continue supporting this "feature", however we maintain support for the legacy set of capabilities rather than enabling all capabilities now supported on modern operating systems.
hashicorp · May 14, 2021 · d817d12 · d817d12
1 parent 9562986
commit d817d12
Show file tree

Hide file tree

Showing 13 changed files with 806 additions and 132 deletions.
diff --git a/drivers/docker/config.go b/drivers/docker/config.go
@@ -10,6 +10,7 @@ import (
 
 	docker "github.com/fsouza/go-dockerclient"
 	"github.com/hashicorp/go-hclog"
+	"github.com/hashicorp/nomad/drivers/shared/capabilities"
 	"github.com/hashicorp/nomad/helper/pluginutils/hclutils"
 	"github.com/hashicorp/nomad/helper/pluginutils/loader"
 	"github.com/hashicorp/nomad/plugins/base"
@@ -287,7 +288,7 @@ var (
 		"allow_privileged": hclspec.NewAttr("allow_privileged", "bool", false),
 		"allow_caps": hclspec.NewDefault(
 			hclspec.NewAttr("allow_caps", "list(string)", false),
-			hclspec.NewLiteral(`["CHOWN","DAC_OVERRIDE","FSETID","FOWNER","MKNOD","SETGID","SETUID","SETFCAP","SETPCAP","NET_BIND_SERVICE","SYS_CHROOT","KILL","AUDIT_WRITE"]`),
+			hclspec.NewLiteral(capabilities.HCLSpecLiteral),
 		),
 		"nvidia_runtime": hclspec.NewDefault(
 			hclspec.NewAttr("nvidia_runtime", "string", false),
@@ -427,9 +428,9 @@ var (
 		"work_dir":        hclspec.NewAttr("work_dir", "string", false),
 	})
 
-	// capabilities is returned by the Capabilities RPC and indicates what
-	// optional features this driver supports
-	capabilities = &drivers.Capabilities{
+	// driverCapabilities represents the RPC response for what features are
+	// implemented by the docker task driver
+	driverCapabilities = &drivers.Capabilities{
 		SendSignals: true,
 		Exec:        true,
 		FSIsolation: drivers.FSIsolationImage,
@@ -788,8 +789,10 @@ func (d *Driver) TaskConfigSchema() (*hclspec.Spec, error) {
 	return taskConfigSpec, nil
 }
 
+// Capabilities is returned by the Capabilities RPC and indicates what optional
+// features this driver supports.
 func (d *Driver) Capabilities() (*drivers.Capabilities, error) {
-	return capabilities, nil
+	return driverCapabilities, nil
 }
 
 var _ drivers.InternalCapabilitiesDriver = (*Driver)(nil)

diff --git a/drivers/exec/driver.go b/drivers/exec/driver.go
@@ -10,6 +10,7 @@ import (
 	"time"
 
 	"github.com/hashicorp/nomad/client/lib/cgutil"
+	"github.com/hashicorp/nomad/drivers/shared/capabilities"
 
 	"github.com/hashicorp/consul-template/signals"
 	hclog "github.com/hashicorp/go-hclog"
@@ -74,6 +75,10 @@ var (
 			hclspec.NewAttr("default_ipc_mode", "string", false),
 			hclspec.NewLiteral(`"private"`),
 		),
+		"allow_caps": hclspec.NewDefault(
+			hclspec.NewAttr("allow_caps", "list(string)", false),
+			hclspec.NewLiteral(capabilities.HCLSpecLiteral),
+		),
 	})
 
 	// taskConfigSpec is the hcl specification for the driver config section of
@@ -83,11 +88,13 @@ var (
 		"args":     hclspec.NewAttr("args", "list(string)", false),
 		"pid_mode": hclspec.NewAttr("pid_mode", "string", false),
 		"ipc_mode": hclspec.NewAttr("ipc_mode", "string", false),
+		"cap_add":  hclspec.NewAttr("cap_add", "list(string)", false),
+		"cap_drop": hclspec.NewAttr("cap_drop", "list(string)", false),
 	})
 
-	// capabilities is returned by the Capabilities RPC and indicates what
-	// optional features this driver supports
-	capabilities = &drivers.Capabilities{
+	// driverCapabilities represents the RPC response for what features are
+	// implemented by the exec task driver
+	driverCapabilities = &drivers.Capabilities{
 		SendSignals: true,
 		Exec:        true,
 		FSIsolation: drivers.FSIsolationChroot,
@@ -141,6 +148,10 @@ type Config struct {
 	// DefaultModeIPC is the default IPC isolation set for all tasks using
 	// exec-based task drivers.
 	DefaultModeIPC string `codec:"default_ipc_mode"`
+
+	// AllowCaps configures which Linux Capabilities are enabled for tasks
+	// running on this node.
+	AllowCaps []string `codec:"allow_caps"`
 }
 
 func (c *Config) validate() error {
@@ -156,6 +167,11 @@ func (c *Config) validate() error {
 		return fmt.Errorf("default_ipc_mode must be %q or %q, got %q", executor.IsolationModePrivate, executor.IsolationModeHost, c.DefaultModeIPC)
 	}
 
+	badCaps := capabilities.Supported().Difference(capabilities.New(c.AllowCaps))
+	if !badCaps.Empty() {
+		return fmt.Errorf("allow_caps configured with capabilities not supported by system: %s", badCaps)
+	}
+
 	return nil
 }
 
@@ -174,6 +190,12 @@ type TaskConfig struct {
 	// ModeIPC indicates whether IPC namespace isolation is enabled for the task.
 	// Must be "private" or "host" if set.
 	ModeIPC string `codec:"ipc_mode"`
+
+	// CapAdd is a set of linux capabilities to enable.
+	CapAdd []string `codec:"cap_add"`
+
+	// CapDrop is a set of linux capabilities to disable.
+	CapDrop []string `codec:"cap_drop"`
 }
 
 func (tc *TaskConfig) validate() error {
@@ -189,6 +211,16 @@ func (tc *TaskConfig) validate() error {
 		return fmt.Errorf("ipc_mode must be %q or %q, got %q", executor.IsolationModePrivate, executor.IsolationModeHost, tc.ModeIPC)
 	}
 
+	supported := capabilities.Supported()
+	badAdds := supported.Difference(capabilities.New(tc.CapAdd))
+	if !badAdds.Empty() {
+		return fmt.Errorf("cap_add configured with capabilities not supported by system: %s", badAdds)
+	}
+	badDrops := supported.Difference(capabilities.New(tc.CapDrop))
+	if !badDrops.Empty() {
+		return fmt.Errorf("cap_drop configured with capabilities not supported by system: %s", badDrops)
+	}
+
 	return nil
 }
 
@@ -266,8 +298,33 @@ func (d *Driver) TaskConfigSchema() (*hclspec.Spec, error) {
 	return taskConfigSpec, nil
 }
 
+// getCaps computes the complete set of linux capabilities to enable for driver,
+// which gets passed along to libcontainer.
+func (d *Driver) getCaps(tc *TaskConfig) ([]string, error) {
+	driverAllowed := capabilities.New(d.config.AllowCaps)
+
+	// determine caps the task wants that are not allowed
+	taskCaps := capabilities.New(tc.CapAdd)
+	missing := driverAllowed.Difference(taskCaps)
+	if !missing.Empty() {
+		return nil, fmt.Errorf("driver does not allow the following capabilities: %s", missing)
+	}
+
+	// if task did not specify allowed caps, use nomad defaults minus task drops
+	if len(tc.CapAdd) == 0 {
+		driverAllowed.Remove(tc.CapDrop)
+		return driverAllowed.Slice(true), nil
+	}
+
+	// otherwise task did specify allowed caps, enable exactly those
+	taskAdd := capabilities.New(tc.CapAdd)
+	return taskAdd.Slice(true), nil
+}
+
+// Capabilities is returned by the Capabilities RPC and indicates what
+// optional features this driver supports
 func (d *Driver) Capabilities() (*drivers.Capabilities, error) {
-	return capabilities, nil
+	return driverCapabilities, nil
 }
 
 func (d *Driver) Fingerprint(ctx context.Context) (<-chan *drivers.Fingerprint, error) {
@@ -439,6 +496,11 @@ func (d *Driver) StartTask(cfg *drivers.TaskConfig) (*drivers.TaskHandle, *drive
 		cfg.Mounts = append(cfg.Mounts, dnsMount)
 	}
 
+	caps, err := d.getCaps(&driverConfig)
+	if err != nil {
+		return nil, nil, err
+	}
+
 	execCmd := &executor.ExecCommand{
 		Cmd:              driverConfig.Command,
 		Args:             driverConfig.Args,
@@ -455,6 +517,7 @@ func (d *Driver) StartTask(cfg *drivers.TaskConfig) (*drivers.TaskHandle, *drive
 		NetworkIsolation: cfg.NetworkIsolation,
 		ModePID:          executor.IsolationMode(d.config.DefaultModePID, driverConfig.ModePID),
 		ModeIPC:          executor.IsolationMode(d.config.DefaultModeIPC, driverConfig.ModeIPC),
+		Capabilities:     caps,
 	}
 
 	ps, err := exec.Launch(execCmd)
@@ -482,7 +545,7 @@ func (d *Driver) StartTask(cfg *drivers.TaskConfig) (*drivers.TaskHandle, *drive
 
 	if err := handle.SetDriverState(&driverState); err != nil {
 		d.logger.Error("failed to start task, error setting driver state", "error", err)
-		exec.Shutdown("", 0)
+		_ = exec.Shutdown("", 0)
 		pluginClient.Kill()
 		return nil, nil, fmt.Errorf("failed to set driver state: %v", err)
 	}

diff --git a/drivers/exec/driver_test.go b/drivers/exec/driver_test.go
@@ -764,42 +764,99 @@ func TestExecDriver_NoPivotRoot(t *testing.T) {
 }
 
 func TestDriver_Config_validate(t *testing.T) {
-	for _, tc := range []struct {
-		pidMode, ipcMode string
-		exp              error
-	}{
-		{pidMode: "host", ipcMode: "host", exp: nil},
-		{pidMode: "private", ipcMode: "host", exp: nil},
-		{pidMode: "host", ipcMode: "private", exp: nil},
-		{pidMode: "private", ipcMode: "private", exp: nil},
-		{pidMode: "other", ipcMode: "private", exp: errors.New(`default_pid_mode must be "private" or "host", got "other"`)},
-		{pidMode: "private", ipcMode: "other", exp: errors.New(`default_ipc_mode must be "private" or "host", got "other"`)},
-	} {
-		require.Equal(t, tc.exp, (&Config{
-			DefaultModePID: tc.pidMode,
-			DefaultModeIPC: tc.ipcMode,
-		}).validate())
-	}
+	t.Run("pid/ipc", func(t *testing.T) {
+		for _, tc := range []struct {
+			pidMode, ipcMode string
+			exp              error
+		}{
+			{pidMode: "host", ipcMode: "host", exp: nil},
+			{pidMode: "private", ipcMode: "host", exp: nil},
+			{pidMode: "host", ipcMode: "private", exp: nil},
+			{pidMode: "private", ipcMode: "private", exp: nil},
+			{pidMode: "other", ipcMode: "private", exp: errors.New(`default_pid_mode must be "private" or "host", got "other"`)},
+			{pidMode: "private", ipcMode: "other", exp: errors.New(`default_ipc_mode must be "private" or "host", got "other"`)},
+		} {
+			require.Equal(t, tc.exp, (&Config{
+				DefaultModePID: tc.pidMode,
+				DefaultModeIPC: tc.ipcMode,
+			}).validate())
+		}
+	})
+
+	t.Run("allow_caps", func(t *testing.T) {
+		for _, tc := range []struct {
+			ac  []string
+			exp error
+		}{
+			{ac: []string{}, exp: nil},
+			{ac: []string{"all"}, exp: nil},
+			{ac: []string{"chown", "sys_time"}, exp: nil},
+			{ac: []string{"CAP_CHOWN", "cap_sys_time"}, exp: nil},
+			{ac: []string{"chown", "not_valid", "sys_time"}, exp: errors.New("allow_caps configured with capabilities not supported by system: not_valid")},
+		} {
+			require.Equal(t, tc.exp, (&Config{
+				DefaultModePID: "private",
+				DefaultModeIPC: "private",
+				AllowCaps:      tc.ac,
+			}).validate())
+		}
+	})
 }
 
 func TestDriver_TaskConfig_validate(t *testing.T) {
-	for _, tc := range []struct {
-		pidMode, ipcMode string
-		exp              error
-	}{
-		{pidMode: "host", ipcMode: "host", exp: nil},
-		{pidMode: "host", ipcMode: "private", exp: nil},
-		{pidMode: "host", ipcMode: "", exp: nil},
-		{pidMode: "host", ipcMode: "other", exp: errors.New(`ipc_mode must be "private" or "host", got "other"`)},
-
-		{pidMode: "host", ipcMode: "host", exp: nil},
-		{pidMode: "private", ipcMode: "host", exp: nil},
-		{pidMode: "", ipcMode: "host", exp: nil},
-		{pidMode: "other", ipcMode: "host", exp: errors.New(`pid_mode must be "private" or "host", got "other"`)},
-	} {
-		require.Equal(t, tc.exp, (&TaskConfig{
-			ModePID: tc.pidMode,
-			ModeIPC: tc.ipcMode,
-		}).validate())
-	}
+	t.Run("pid/ipc", func(t *testing.T) {
+		for _, tc := range []struct {
+			pidMode, ipcMode string
+			exp              error
+		}{
+			{pidMode: "host", ipcMode: "host", exp: nil},
+			{pidMode: "host", ipcMode: "private", exp: nil},
+			{pidMode: "host", ipcMode: "", exp: nil},
+			{pidMode: "host", ipcMode: "other", exp: errors.New(`ipc_mode must be "private" or "host", got "other"`)},
+
+			{pidMode: "host", ipcMode: "host", exp: nil},
+			{pidMode: "private", ipcMode: "host", exp: nil},
+			{pidMode: "", ipcMode: "host", exp: nil},
+			{pidMode: "other", ipcMode: "host", exp: errors.New(`pid_mode must be "private" or "host", got "other"`)},
+		} {
+			require.Equal(t, tc.exp, (&TaskConfig{
+				ModePID: tc.pidMode,
+				ModeIPC: tc.ipcMode,
+			}).validate())
+		}
+	})
+
+	t.Run("cap_add", func(t *testing.T) {
+		for _, tc := range []struct {
+			adds []string
+			exp  error
+		}{
+			{adds: nil, exp: nil},
+			{adds: []string{"chown"}, exp: nil},
+			{adds: []string{"CAP_CHOWN"}, exp: nil},
+			{adds: []string{"chown", "sys_time"}, exp: nil},
+			{adds: []string{"chown", "not_valid", "sys_time"}, exp: errors.New("cap_add configured with capabilities not supported by system: not_valid")},
+		} {
+			require.Equal(t, tc.exp, (&TaskConfig{
+				CapAdd: tc.adds,
+			}).validate())
+		}
+	})
+
+	t.Run("cap_drop", func(t *testing.T) {
+		for _, tc := range []struct {
+			drops []string
+			exp   error
+		}{
+			{drops: nil, exp: nil},
+			{drops: []string{"chown"}, exp: nil},
+			{drops: []string{"CAP_CHOWN"}, exp: nil},
+			{drops: []string{"chown", "sys_time"}, exp: nil},
+			{drops: []string{"chown", "not_valid", "sys_time"}, exp: errors.New("cap_drop configured with capabilities not supported by system: not_valid")},
+		} {
+			require.Equal(t, tc.exp, (&TaskConfig{
+				CapDrop: tc.drops,
+			}).validate())
+		}
+	})
 }