Merge pull request from GHSA-2mm7-x5h6-5pvq
[20.10] oci: inheritable capability set should be empty
This commit is contained in:
commit
7f375bcff4
3 changed files with 20 additions and 19 deletions
|
@ -19,13 +19,11 @@ func (daemon *Daemon) execSetPlatformOpt(c *container.Container, ec *exec.Config
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
if ec.Privileged {
|
if ec.Privileged {
|
||||||
if p.Capabilities == nil {
|
p.Capabilities = &specs.LinuxCapabilities{
|
||||||
p.Capabilities = &specs.LinuxCapabilities{}
|
Bounding: caps.GetAllCapabilities(),
|
||||||
|
Permitted: caps.GetAllCapabilities(),
|
||||||
|
Effective: caps.GetAllCapabilities(),
|
||||||
}
|
}
|
||||||
p.Capabilities.Bounding = caps.GetAllCapabilities()
|
|
||||||
p.Capabilities.Permitted = p.Capabilities.Bounding
|
|
||||||
p.Capabilities.Inheritable = p.Capabilities.Bounding
|
|
||||||
p.Capabilities.Effective = p.Capabilities.Bounding
|
|
||||||
}
|
}
|
||||||
if apparmor.IsEnabled() {
|
if apparmor.IsEnabled() {
|
||||||
var appArmorProfile string
|
var appArmorProfile string
|
||||||
|
|
|
@ -41,10 +41,9 @@ func DefaultLinuxSpec() specs.Spec {
|
||||||
Version: specs.Version,
|
Version: specs.Version,
|
||||||
Process: &specs.Process{
|
Process: &specs.Process{
|
||||||
Capabilities: &specs.LinuxCapabilities{
|
Capabilities: &specs.LinuxCapabilities{
|
||||||
Bounding: caps.DefaultCapabilities(),
|
Bounding: caps.DefaultCapabilities(),
|
||||||
Permitted: caps.DefaultCapabilities(),
|
Permitted: caps.DefaultCapabilities(),
|
||||||
Inheritable: caps.DefaultCapabilities(),
|
Effective: caps.DefaultCapabilities(),
|
||||||
Effective: caps.DefaultCapabilities(),
|
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
Root: &specs.Root{},
|
Root: &specs.Root{},
|
||||||
|
|
22
oci/oci.go
22
oci/oci.go
|
@ -17,17 +17,21 @@ import (
|
||||||
var deviceCgroupRuleRegex = regexp.MustCompile("^([acb]) ([0-9]+|\\*):([0-9]+|\\*) ([rwm]{1,3})$")
|
var deviceCgroupRuleRegex = regexp.MustCompile("^([acb]) ([0-9]+|\\*):([0-9]+|\\*) ([rwm]{1,3})$")
|
||||||
|
|
||||||
// SetCapabilities sets the provided capabilities on the spec
|
// SetCapabilities sets the provided capabilities on the spec
|
||||||
// All capabilities are added if privileged is true
|
// All capabilities are added if privileged is true.
|
||||||
func SetCapabilities(s *specs.Spec, caplist []string) error {
|
func SetCapabilities(s *specs.Spec, caplist []string) error {
|
||||||
s.Process.Capabilities.Effective = caplist
|
|
||||||
s.Process.Capabilities.Bounding = caplist
|
|
||||||
s.Process.Capabilities.Permitted = caplist
|
|
||||||
s.Process.Capabilities.Inheritable = caplist
|
|
||||||
// setUser has already been executed here
|
// setUser has already been executed here
|
||||||
// if non root drop capabilities in the way execve does
|
if s.Process.User.UID == 0 {
|
||||||
if s.Process.User.UID != 0 {
|
s.Process.Capabilities = &specs.LinuxCapabilities{
|
||||||
s.Process.Capabilities.Effective = []string{}
|
Effective: caplist,
|
||||||
s.Process.Capabilities.Permitted = []string{}
|
Bounding: caplist,
|
||||||
|
Permitted: caplist,
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
// Do not set Effective and Permitted capabilities for non-root users,
|
||||||
|
// to match what execve does.
|
||||||
|
s.Process.Capabilities = &specs.LinuxCapabilities{
|
||||||
|
Bounding: caplist,
|
||||||
|
}
|
||||||
}
|
}
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue