Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Some SCCs don't drop any caps #16371

Closed
php-coder opened this issue Sep 15, 2017 · 2 comments
Closed

Some SCCs don't drop any caps #16371

php-coder opened this issue Sep 15, 2017 · 2 comments
Assignees
@php-coder
Labels
area/security priority/P2

Comments

@php-coder
Copy link
Contributor

php-coder commented Sep 15, 2017
edited

I'm a bit surprised that some SCCs (for example, nonroot) have empty requiredDropCapabilities.

Version

oc v3.7.0-alpha.1+3fddedc-367-dirty
kubernetes v1.7.0+80709908fd
features: Basic-Auth

Server https://10.34.129.200:8443
openshift v3.7.0-alpha.1+3fddedc-367-dirty
kubernetes v1.7.0+80709908fd

Steps To Reproduce
  1. oc cluster up
  2. oc login -u system:admin
  3. oc get scc -o jsonpath='{range .items[*]}{.metadata.name}{"\t"}{.requiredDropCapabilities}{"\n"}{end}' | column -t
Current Result
anyuid            [MKNOD  SYS_CHROOT]
hostaccess        []
hostmount-anyuid  []
hostnetwork       [KILL   MKNOD        SYS_CHROOT  SETUID  SETGID]
nonroot           []
privileged        []
restricted        [KILL   MKNOD        SYS_CHROOT  SETUID  SETGID]
Expected Result

nonroot should drop KILL, MKNOD, SETUID, and SETGID capabilities
hostaccess should drop KILL, MKNOD, SETUID, and SETGID capabilities
hostmount-anyuid should drop MKNOD capabilities
@php-coder php-coder mentioned this issue Sep 15, 2017
Merged
@simo5 simo5 added area/security help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. labels Sep 15, 2017
@simo5 simo5 self-assigned this Sep 15, 2017
@php-coder
Copy link
Contributor Author

The fix is trivial, the main concern is to get agreement on expected behavior.

@php-coder
Copy link
Contributor Author

@openshift/sig-security please, confirm that the following behavior will be OK:

  • nonroot must drop KILL, MKNOD, SETUID, and SETGID capabilities
  • hostaccess must drop KILL, MKNOD, SETUID, and SETGID capabilities
  • hostmount-anyuid must drop MKNOD capabilities

@php-coder php-coder self-assigned this Sep 18, 2017
@php-coder php-coder mentioned this issue Sep 19, 2017
Merged
@php-coder php-coder removed the help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. label Sep 19, 2017
openshift-merge-robot added a commit that referenced this issue Sep 28, 2017
@openshift-merge-robot
Merge pull request #16436 from php-coder/gh16371_drops_more_caps
092c32e 
Automatic merge from submit-queue (batch tested with PRs 16559, 16518, 16436).

Modify nonroot, hostaccess, and hostmount-anyuid SCCs to drop some capabilities

- `nonroot` now drops KILL, MKNOD, SETUID, and SETGID
- `hostaccess` now drops KILL, MKNOD, SETUID, and SETGID
- `hostmount-anyuid` now drops MKNOD

PTAL @openshift/sig-security 

Fixes #16371
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@php-coder php-coder

Labels
area/security priority/P2
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@php-coder @simo5