Skip to content

Commit

Permalink
Merge pull request #16436 from php-coder/gh16371_drops_more_caps
Browse files Browse the repository at this point in the history 
Automatic merge from submit-queue (batch tested with PRs 16559, 16518, 16436).

Modify nonroot, hostaccess, and hostmount-anyuid SCCs to drop some capabilities

- `nonroot` now drops KILL, MKNOD, SETUID, and SETGID
- `hostaccess` now drops KILL, MKNOD, SETUID, and SETGID
- `hostmount-anyuid` now drops MKNOD

PTAL @openshift/sig-security 

Fixes #16371
  • Loading branch information
@openshift-merge-robot
openshift-merge-robot committed Sep 28, 2017
2 parents 2a47bb7 + 9dad3fc commit 092c32e
Showing 1 changed file with 3 additions and 0 deletions.
3 changes: 3 additions & 0 deletions pkg/cmd/server/bootstrappolicy/securitycontextconstraints.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -114,6 +114,7 @@ func GetBootstrapSecurityContextConstraints(sccNameToAdditionalGroups map[string
SupplementalGroups: securityapi.SupplementalGroupsStrategyOptions{
Type: securityapi.SupplementalGroupsStrategyRunAsAny,
},
RequiredDropCapabilities: []kapi.Capability{"KILL", "MKNOD", "SETUID", "SETGID"},
},
// SecurityContextConstraintHostMountAndAnyUID is the same as the restricted scc but allows the use of the hostPath and NFS plugins, and running as any UID.
// Used by the PV recycler.
Expand Down Expand Up @@ -143,6 +144,7 @@ func GetBootstrapSecurityContextConstraints(sccNameToAdditionalGroups map[string
SupplementalGroups: securityapi.SupplementalGroupsStrategyOptions{
Type: securityapi.SupplementalGroupsStrategyRunAsAny,
},
RequiredDropCapabilities: []kapi.Capability{"MKNOD"},
},
// SecurityContextConstraintHostNS allows access to everything except privileged on the host
// but still allocates UIDs and SELinux.
Expand Down Expand Up @@ -176,6 +178,7 @@ func GetBootstrapSecurityContextConstraints(sccNameToAdditionalGroups map[string
SupplementalGroups: securityapi.SupplementalGroupsStrategyOptions{
Type: securityapi.SupplementalGroupsStrategyRunAsAny,
},
RequiredDropCapabilities: []kapi.Capability{"KILL", "MKNOD", "SETUID", "SETGID"},
},
// SecurityContextConstraintRestricted allows no host access and allocates UIDs and SELinux.
{
Expand Down

0 comments on commit 092c32e

Please sign in to comment.