Merge pull request from GHSA-2mm7-x5h6-5pvq
[20.10] oci: inheritable capability set should be empty
This commit is contained in:
Sebastiaan van Stijn
GitHub
commit
7f375bcff4
|
|
@ -19,13 +19,11 @@ func (daemon *Daemon) execSetPlatformOpt(c *container.Container, ec *exec.Config
|
|||
}
|
||||
}
|
||||
if ec.Privileged {
|
||||
if p.Capabilities == nil {
|
||||
p.Capabilities = &specs.LinuxCapabilities{}
|
||||
p.Capabilities = &specs.LinuxCapabilities{
|
||||
Bounding: caps.GetAllCapabilities(),
|
||||
Permitted: caps.GetAllCapabilities(),
|
||||
Effective: caps.GetAllCapabilities(),
|
||||
}
|
||||
p.Capabilities.Bounding = caps.GetAllCapabilities()
|
||||
p.Capabilities.Permitted = p.Capabilities.Bounding
|
||||
p.Capabilities.Inheritable = p.Capabilities.Bounding
|
||||
p.Capabilities.Effective = p.Capabilities.Bounding
|
||||
}
|
||||
if apparmor.IsEnabled() {
|
||||
var appArmorProfile string
|
||||
|
|
|
|||
|
|
@ -41,10 +41,9 @@ func DefaultLinuxSpec() specs.Spec {
|
|||
Version: specs.Version,
|
||||
Process: &specs.Process{
|
||||
Capabilities: &specs.LinuxCapabilities{
|
||||
Bounding: caps.DefaultCapabilities(),
|
||||
Permitted: caps.DefaultCapabilities(),
|
||||
Inheritable: caps.DefaultCapabilities(),
|
||||
Effective: caps.DefaultCapabilities(),
|
||||
Bounding: caps.DefaultCapabilities(),
|
||||
Permitted: caps.DefaultCapabilities(),
|
||||
Effective: caps.DefaultCapabilities(),
|
||||
},
|
||||
},
|
||||
Root: &specs.Root{},
|
||||
|
|
|
|||
22
oci/oci.go
22
oci/oci.go
|
|
@ -17,17 +17,21 @@ import (
|
|||
var deviceCgroupRuleRegex = regexp.MustCompile("^([acb]) ([0-9]+|\\*):([0-9]+|\\*) ([rwm]{1,3})$")
|
||||
|
||||
// SetCapabilities sets the provided capabilities on the spec
|
||||
// All capabilities are added if privileged is true
|
||||
// All capabilities are added if privileged is true.
|
||||
func SetCapabilities(s *specs.Spec, caplist []string) error {
|
||||
s.Process.Capabilities.Effective = caplist
|
||||
s.Process.Capabilities.Bounding = caplist
|
||||
s.Process.Capabilities.Permitted = caplist
|
||||
s.Process.Capabilities.Inheritable = caplist
|
||||
// setUser has already been executed here
|
||||
// if non root drop capabilities in the way execve does
|
||||
if s.Process.User.UID != 0 {
|
||||
s.Process.Capabilities.Effective = []string{}
|
||||
s.Process.Capabilities.Permitted = []string{}
|
||||
if s.Process.User.UID == 0 {
|
||||
s.Process.Capabilities = &specs.LinuxCapabilities{
|
||||
Effective: caplist,
|
||||
Bounding: caplist,
|
||||
Permitted: caplist,
|
||||
}
|
||||
} else {
|
||||
// Do not set Effective and Permitted capabilities for non-root users,
|
||||
// to match what execve does.
|
||||
s.Process.Capabilities = &specs.LinuxCapabilities{
|
||||
Bounding: caplist,
|
||||
}
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue