github/containerd
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity

Merge pull request from GHSA-c9cp-9c75-9v8c

Browse Source 
Fix the Inheritable capability defaults.
This commit is contained in:
Derek McGowan 2022-03-23 10:50:56 -07:00 committed by GitHub
commit 551516a18d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 7 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
oci/spec.go
View File

@ -148,10 +148,9 @@ func populateDefaultUnixSpec(ctx context.Context, s *Spec, id string) error {
GID: 0, GID: 0,
}, },
Capabilities: &specs.LinuxCapabilities{ Capabilities: &specs.LinuxCapabilities{
Bounding: defaultUnixCaps(), Bounding: defaultUnixCaps(),
Permitted: defaultUnixCaps(), Permitted: defaultUnixCaps(),
Inheritable: defaultUnixCaps(), Effective: defaultUnixCaps(),
Effective: defaultUnixCaps(),
}, },
Rlimits: []specs.POSIXRlimit{ Rlimits: []specs.POSIXRlimit{
{ {

5
oci/spec_opts.go
View File

@ -873,7 +873,6 @@ func WithCapabilities(caps []string) SpecOpts {
s.Process.Capabilities.Bounding = caps s.Process.Capabilities.Bounding = caps
s.Process.Capabilities.Effective = caps s.Process.Capabilities.Effective = caps
s.Process.Capabilities.Permitted = caps s.Process.Capabilities.Permitted = caps
s.Process.Capabilities.Inheritable = caps
return nil return nil
} }
@ -908,7 +907,6 @@ func WithAddedCapabilities(caps []string) SpecOpts {
&s.Process.Capabilities.Bounding, &s.Process.Capabilities.Bounding,
&s.Process.Capabilities.Effective, &s.Process.Capabilities.Effective,
&s.Process.Capabilities.Permitted, &s.Process.Capabilities.Permitted,
&s.Process.Capabilities.Inheritable,
} { } {
if !capsContain(*cl, c) { if !capsContain(*cl, c) {
*cl = append(*cl, c) *cl = append(*cl, c)
@ -928,7 +926,6 @@ func WithDroppedCapabilities(caps []string) SpecOpts {
&s.Process.Capabilities.Bounding, &s.Process.Capabilities.Bounding,
&s.Process.Capabilities.Effective, &s.Process.Capabilities.Effective,
&s.Process.Capabilities.Permitted, &s.Process.Capabilities.Permitted,
&s.Process.Capabilities.Inheritable,
} { } {
removeCap(cl, c) removeCap(cl, c)
} }
@ -943,7 +940,7 @@ func WithDroppedCapabilities(caps []string) SpecOpts {
func WithAmbientCapabilities(caps []string) SpecOpts { func WithAmbientCapabilities(caps []string) SpecOpts {
return func(_ context.Context, _ Client, _ *containers.Container, s *Spec) error { return func(_ context.Context, _ Client, _ *containers.Container, s *Spec) error {
setCapabilities(s) setCapabilities(s)
s.Process.Capabilities.Inheritable = caps
s.Process.Capabilities.Ambient = caps s.Process.Capabilities.Ambient = caps
return nil return nil
} }

4
oci/spec_opts_linux_test.go
View File

@ -39,7 +39,6 @@ func TestAddCaps(t *testing.T) {
s.Process.Capabilities.Bounding, s.Process.Capabilities.Bounding,
s.Process.Capabilities.Effective, s.Process.Capabilities.Effective,
s.Process.Capabilities.Permitted, s.Process.Capabilities.Permitted,
s.Process.Capabilities.Inheritable,
} { } {
if !capsContain(cl, "CAP_CHOWN") { if !capsContain(cl, "CAP_CHOWN") {
t.Errorf("cap list %d does not contain added cap", i) t.Errorf("cap list %d does not contain added cap", i)
@ -63,7 +62,6 @@ func TestDropCaps(t *testing.T) {
s.Process.Capabilities.Bounding, s.Process.Capabilities.Bounding,
s.Process.Capabilities.Effective, s.Process.Capabilities.Effective,
s.Process.Capabilities.Permitted, s.Process.Capabilities.Permitted,
s.Process.Capabilities.Inheritable,
} { } {
if capsContain(cl, "CAP_CHOWN") { if capsContain(cl, "CAP_CHOWN") {
t.Errorf("cap list %d contains dropped cap", i) t.Errorf("cap list %d contains dropped cap", i)
@ -82,7 +80,6 @@ func TestDropCaps(t *testing.T) {
s.Process.Capabilities.Bounding, s.Process.Capabilities.Bounding,
s.Process.Capabilities.Effective, s.Process.Capabilities.Effective,
s.Process.Capabilities.Permitted, s.Process.Capabilities.Permitted,
s.Process.Capabilities.Inheritable,
} { } {
if capsContain(cl, "CAP_FOWNER") { if capsContain(cl, "CAP_FOWNER") {
t.Errorf("cap list %d contains dropped cap", i) t.Errorf("cap list %d contains dropped cap", i)
@ -103,7 +100,6 @@ func TestDropCaps(t *testing.T) {
s.Process.Capabilities.Bounding, s.Process.Capabilities.Bounding,
s.Process.Capabilities.Effective, s.Process.Capabilities.Effective,
s.Process.Capabilities.Permitted, s.Process.Capabilities.Permitted,
s.Process.Capabilities.Inheritable,
} { } {
if len(cl) != 0 { if len(cl) != 0 {
t.Errorf("cap list %d is not empty", i) t.Errorf("cap list %d is not empty", i)

5
oci/spec_test.go
View File

@ -45,7 +45,6 @@ func TestGenerateSpec(t *testing.T) {
for _, cl := range [][]string{ for _, cl := range [][]string{
s.Process.Capabilities.Bounding, s.Process.Capabilities.Bounding,
s.Process.Capabilities.Permitted, s.Process.Capabilities.Permitted,
s.Process.Capabilities.Inheritable,
s.Process.Capabilities.Effective, s.Process.Capabilities.Effective,
} { } {
for i := 0; i < len(defaults); i++ { for i := 0; i < len(defaults); i++ {
@ -193,8 +192,8 @@ func TestWithCapabilities(t *testing.T) {
if len(s.Process.Capabilities.Permitted) != 1 || s.Process.Capabilities.Permitted[0] != "CAP_SYS_ADMIN" { if len(s.Process.Capabilities.Permitted) != 1 || s.Process.Capabilities.Permitted[0] != "CAP_SYS_ADMIN" {
t.Error("Unexpected capabilities set") t.Error("Unexpected capabilities set")
} }
if len(s.Process.Capabilities.Inheritable) != 1 || s.Process.Capabilities.Inheritable[0] != "CAP_SYS_ADMIN" { if len(s.Process.Capabilities.Inheritable) != 0 {
t.Error("Unexpected capabilities set") t.Errorf("Unexpected capabilities set: length is non zero (%d)", len(s.Process.Capabilities.Inheritable))
} }
} }

3
pkg/cri/server/container_create_linux_test.go
View File

@ -255,15 +255,14 @@ func TestContainerCapabilities(t *testing.T) {
for _, include := range test.includes { for _, include := range test.includes {
assert.Contains(t, spec.Process.Capabilities.Bounding, include) assert.Contains(t, spec.Process.Capabilities.Bounding, include)
assert.Contains(t, spec.Process.Capabilities.Effective, include) assert.Contains(t, spec.Process.Capabilities.Effective, include)
assert.Contains(t, spec.Process.Capabilities.Inheritable, include)
assert.Contains(t, spec.Process.Capabilities.Permitted, include) assert.Contains(t, spec.Process.Capabilities.Permitted, include)
} }
for _, exclude := range test.excludes { for _, exclude := range test.excludes {
assert.NotContains(t, spec.Process.Capabilities.Bounding, exclude) assert.NotContains(t, spec.Process.Capabilities.Bounding, exclude)
assert.NotContains(t, spec.Process.Capabilities.Effective, exclude) assert.NotContains(t, spec.Process.Capabilities.Effective, exclude)
assert.NotContains(t, spec.Process.Capabilities.Inheritable, exclude)
assert.NotContains(t, spec.Process.Capabilities.Permitted, exclude) assert.NotContains(t, spec.Process.Capabilities.Permitted, exclude)
} }
assert.Empty(t, spec.Process.Capabilities.Inheritable)
assert.Empty(t, spec.Process.Capabilities.Ambient) assert.Empty(t, spec.Process.Capabilities.Ambient)
} }
} }