Merge pull request from GHSA-2mm7-x5h6-5pvq

[20.10] oci: inheritable capability set should be empty
This commit is contained in:
Sebastiaan van Stijn 2022-03-23 22:10:17 +01:00 committed by GitHub
commit 7f375bcff4
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 20 additions and 19 deletions

View file

@ -19,13 +19,11 @@ func (daemon *Daemon) execSetPlatformOpt(c *container.Container, ec *exec.Config
}
}
if ec.Privileged {
if p.Capabilities == nil {
p.Capabilities = &specs.LinuxCapabilities{}
p.Capabilities = &specs.LinuxCapabilities{
Bounding: caps.GetAllCapabilities(),
Permitted: caps.GetAllCapabilities(),
Effective: caps.GetAllCapabilities(),
}
p.Capabilities.Bounding = caps.GetAllCapabilities()
p.Capabilities.Permitted = p.Capabilities.Bounding
p.Capabilities.Inheritable = p.Capabilities.Bounding
p.Capabilities.Effective = p.Capabilities.Bounding
}
if apparmor.IsEnabled() {
var appArmorProfile string

View file

@ -41,10 +41,9 @@ func DefaultLinuxSpec() specs.Spec {
Version: specs.Version,
Process: &specs.Process{
Capabilities: &specs.LinuxCapabilities{
Bounding: caps.DefaultCapabilities(),
Permitted: caps.DefaultCapabilities(),
Inheritable: caps.DefaultCapabilities(),
Effective: caps.DefaultCapabilities(),
Bounding: caps.DefaultCapabilities(),
Permitted: caps.DefaultCapabilities(),
Effective: caps.DefaultCapabilities(),
},
},
Root: &specs.Root{},

View file

@ -17,17 +17,21 @@ import (
var deviceCgroupRuleRegex = regexp.MustCompile("^([acb]) ([0-9]+|\\*):([0-9]+|\\*) ([rwm]{1,3})$")
// SetCapabilities sets the provided capabilities on the spec
// All capabilities are added if privileged is true
// All capabilities are added if privileged is true.
func SetCapabilities(s *specs.Spec, caplist []string) error {
s.Process.Capabilities.Effective = caplist
s.Process.Capabilities.Bounding = caplist
s.Process.Capabilities.Permitted = caplist
s.Process.Capabilities.Inheritable = caplist
// setUser has already been executed here
// if non root drop capabilities in the way execve does
if s.Process.User.UID != 0 {
s.Process.Capabilities.Effective = []string{}
s.Process.Capabilities.Permitted = []string{}
if s.Process.User.UID == 0 {
s.Process.Capabilities = &specs.LinuxCapabilities{
Effective: caplist,
Bounding: caplist,
Permitted: caplist,
}
} else {
// Do not set Effective and Permitted capabilities for non-root users,
// to match what execve does.
s.Process.Capabilities = &specs.LinuxCapabilities{
Bounding: caplist,
}
}
return nil
}