Merge pull request from GHSA-2mm7-x5h6-5pvq

[20.10] oci: inheritable capability set should be empty
This commit is contained in:
Sebastiaan van Stijn 2022-03-23 22:10:17 +01:00 committed by GitHub
commit 7f375bcff4
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 20 additions and 19 deletions

View file

@ -19,13 +19,11 @@ func (daemon *Daemon) execSetPlatformOpt(c *container.Container, ec *exec.Config
} }
} }
if ec.Privileged { if ec.Privileged {
if p.Capabilities == nil { p.Capabilities = &specs.LinuxCapabilities{
p.Capabilities = &specs.LinuxCapabilities{} Bounding: caps.GetAllCapabilities(),
Permitted: caps.GetAllCapabilities(),
Effective: caps.GetAllCapabilities(),
} }
p.Capabilities.Bounding = caps.GetAllCapabilities()
p.Capabilities.Permitted = p.Capabilities.Bounding
p.Capabilities.Inheritable = p.Capabilities.Bounding
p.Capabilities.Effective = p.Capabilities.Bounding
} }
if apparmor.IsEnabled() { if apparmor.IsEnabled() {
var appArmorProfile string var appArmorProfile string

View file

@ -41,10 +41,9 @@ func DefaultLinuxSpec() specs.Spec {
Version: specs.Version, Version: specs.Version,
Process: &specs.Process{ Process: &specs.Process{
Capabilities: &specs.LinuxCapabilities{ Capabilities: &specs.LinuxCapabilities{
Bounding: caps.DefaultCapabilities(), Bounding: caps.DefaultCapabilities(),
Permitted: caps.DefaultCapabilities(), Permitted: caps.DefaultCapabilities(),
Inheritable: caps.DefaultCapabilities(), Effective: caps.DefaultCapabilities(),
Effective: caps.DefaultCapabilities(),
}, },
}, },
Root: &specs.Root{}, Root: &specs.Root{},

View file

@ -17,17 +17,21 @@ import (
var deviceCgroupRuleRegex = regexp.MustCompile("^([acb]) ([0-9]+|\\*):([0-9]+|\\*) ([rwm]{1,3})$") var deviceCgroupRuleRegex = regexp.MustCompile("^([acb]) ([0-9]+|\\*):([0-9]+|\\*) ([rwm]{1,3})$")
// SetCapabilities sets the provided capabilities on the spec // SetCapabilities sets the provided capabilities on the spec
// All capabilities are added if privileged is true // All capabilities are added if privileged is true.
func SetCapabilities(s *specs.Spec, caplist []string) error { func SetCapabilities(s *specs.Spec, caplist []string) error {
s.Process.Capabilities.Effective = caplist
s.Process.Capabilities.Bounding = caplist
s.Process.Capabilities.Permitted = caplist
s.Process.Capabilities.Inheritable = caplist
// setUser has already been executed here // setUser has already been executed here
// if non root drop capabilities in the way execve does if s.Process.User.UID == 0 {
if s.Process.User.UID != 0 { s.Process.Capabilities = &specs.LinuxCapabilities{
s.Process.Capabilities.Effective = []string{} Effective: caplist,
s.Process.Capabilities.Permitted = []string{} Bounding: caplist,
Permitted: caplist,
}
} else {
// Do not set Effective and Permitted capabilities for non-root users,
// to match what execve does.
s.Process.Capabilities = &specs.LinuxCapabilities{
Bounding: caplist,
}
} }
return nil return nil
} }