add warning use inheritable Capabilities
Signed-off-by: rongfu.leng <rongfu.leng@daocloud.io>
This commit is contained in:
rongfu.leng
parent
a72adffa65
commit
df19888f83
@ -417,6 +417,9 @@ func loadBaseOCISpecs(config *criconfig.Config) (map[string]*oci.Spec, error) {
|
||||
return nil, fmt.Errorf("failed to load base OCI spec from file: %s: %w", cfg.BaseRuntimeSpec, err)
|
||||
}
|
||||
|
||||
if spec.Process != nil && spec.Process.Capabilities != nil && len(spec.Process.Capabilities.Inheritable) > 0 {
|
||||
log.L.WithField("base_runtime_spec", cfg.BaseRuntimeSpec).Warn("Provided base runtime spec includes inheritable capabilities, which may be unsafe. See CVE-2022-24769 for more details.")
|
||||
}
|
||||
specs[cfg.BaseRuntimeSpec] = spec
|
||||
}
|
||||
|
||||
|
||||
@ -17,7 +17,9 @@
|
||||
package server
|
||||
|
||||
import (
|
||||
"bytes"
|
||||
"encoding/json"
|
||||
"io"
|
||||
"os"
|
||||
"testing"
|
||||
|
||||
@ -33,6 +35,9 @@ import (
|
||||
servertesting "github.com/containerd/containerd/v2/pkg/cri/testing"
|
||||
ostesting "github.com/containerd/containerd/v2/pkg/os/testing"
|
||||
"github.com/containerd/containerd/v2/pkg/registrar"
|
||||
"github.com/containerd/log"
|
||||
"github.com/opencontainers/runtime-spec/specs-go"
|
||||
"github.com/sirupsen/logrus"
|
||||
)
|
||||
|
||||
// newTestCRIService creates a fake criService for test.
|
||||
@ -82,3 +87,57 @@ func TestLoadBaseOCISpec(t *testing.T) {
|
||||
assert.Equal(t, "1.0.2", out.Version)
|
||||
assert.Equal(t, "default", out.Hostname)
|
||||
}
|
||||
|
||||
func Test_loadBaseOCISpecs(t *testing.T) {
|
||||
spec := oci.Spec{
|
||||
Version: "1.0.2",
|
||||
Hostname: "default",
|
||||
Process: &specs.Process{
|
||||
Capabilities: &specs.LinuxCapabilities{
|
||||
Inheritable: []string{"CAP_NET_RAW"},
|
||||
},
|
||||
},
|
||||
}
|
||||
file, err := os.CreateTemp("", "spec-test-")
|
||||
require.NoError(t, err)
|
||||
defer func() {
|
||||
assert.NoError(t, file.Close())
|
||||
assert.NoError(t, os.RemoveAll(file.Name()))
|
||||
}()
|
||||
err = json.NewEncoder(file).Encode(&spec)
|
||||
require.NoError(t, err)
|
||||
config := criconfig.Config{}
|
||||
config.Runtimes = map[string]criconfig.Runtime{
|
||||
"runc": {BaseRuntimeSpec: file.Name()},
|
||||
}
|
||||
var buffer bytes.Buffer
|
||||
logger := &logrus.Logger{
|
||||
Out: &buffer,
|
||||
Formatter: new(logrus.TextFormatter),
|
||||
Hooks: make(logrus.LevelHooks),
|
||||
Level: logrus.InfoLevel,
|
||||
ExitFunc: os.Exit,
|
||||
ReportCaller: false,
|
||||
}
|
||||
log.L = logrus.NewEntry(logger)
|
||||
tests := []struct {
|
||||
name string
|
||||
args *criconfig.Config
|
||||
message string
|
||||
}{
|
||||
{
|
||||
name: "args is not nil,print warning",
|
||||
args: &config,
|
||||
message: "Provided base runtime spec includes inheritable capabilities, which may be unsafe. See CVE-2022-24769 for more details.",
|
||||
},
|
||||
}
|
||||
for _, tt := range tests {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
loadBaseOCISpecs(tt.args)
|
||||
readAll, _ := io.ReadAll(&buffer)
|
||||
if tt.message != "" {
|
||||
assert.Contains(t, string(readAll), tt.message)
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
Loading…
Reference in New Issue
Block a user