github/containerd
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity

add warning use inheritable Capabilities

Browse Source 
Signed-off-by: rongfu.leng <rongfu.leng@daocloud.io>
This commit is contained in:
rongfu.leng 2023-10-23 23:13:19 +08:00
parent a72adffa65
commit df19888f83
2 changed files with 62 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
pkg/cri/server/service.go
View File

@ -417,6 +417,9 @@ func loadBaseOCISpecs(config *criconfig.Config) (map[string]*oci.Spec, error) {
return nil, fmt.Errorf("failed to load base OCI spec from file: %s: %w", cfg.BaseRuntimeSpec, err) return nil, fmt.Errorf("failed to load base OCI spec from file: %s: %w", cfg.BaseRuntimeSpec, err)
} }
if spec.Process != nil && spec.Process.Capabilities != nil && len(spec.Process.Capabilities.Inheritable) > 0 {
log.L.WithField("base_runtime_spec", cfg.BaseRuntimeSpec).Warn("Provided base runtime spec includes inheritable capabilities, which may be unsafe. See CVE-2022-24769 for more details.")
}
specs[cfg.BaseRuntimeSpec] = spec specs[cfg.BaseRuntimeSpec] = spec
} }

59
pkg/cri/server/service_test.go
View File

@ -17,7 +17,9 @@
package server package server
import ( import (
"bytes"
"encoding/json" "encoding/json"
"io"
"os" "os"
"testing" "testing"
@ -33,6 +35,9 @@ import (
servertesting "github.com/containerd/containerd/v2/pkg/cri/testing" servertesting "github.com/containerd/containerd/v2/pkg/cri/testing"
ostesting "github.com/containerd/containerd/v2/pkg/os/testing" ostesting "github.com/containerd/containerd/v2/pkg/os/testing"
"github.com/containerd/containerd/v2/pkg/registrar" "github.com/containerd/containerd/v2/pkg/registrar"
"github.com/containerd/log"
"github.com/opencontainers/runtime-spec/specs-go"
"github.com/sirupsen/logrus"
) )
// newTestCRIService creates a fake criService for test. // newTestCRIService creates a fake criService for test.
@ -82,3 +87,57 @@ func TestLoadBaseOCISpec(t *testing.T) {
assert.Equal(t, "1.0.2", out.Version) assert.Equal(t, "1.0.2", out.Version)
assert.Equal(t, "default", out.Hostname) assert.Equal(t, "default", out.Hostname)
} }
func Test_loadBaseOCISpecs(t *testing.T) {
spec := oci.Spec{
Version: "1.0.2",
Hostname: "default",
Process: &specs.Process{
Capabilities: &specs.LinuxCapabilities{
Inheritable: []string{"CAP_NET_RAW"},
},
},
}
file, err := os.CreateTemp("", "spec-test-")
require.NoError(t, err)
defer func() {
assert.NoError(t, file.Close())
assert.NoError(t, os.RemoveAll(file.Name()))
}()
err = json.NewEncoder(file).Encode(&spec)
require.NoError(t, err)
config := criconfig.Config{}
config.Runtimes = map[string]criconfig.Runtime{
"runc": {BaseRuntimeSpec: file.Name()},
}
var buffer bytes.Buffer
logger := &logrus.Logger{
Out: &buffer,
Formatter: new(logrus.TextFormatter),
Hooks: make(logrus.LevelHooks),
Level: logrus.InfoLevel,
ExitFunc: os.Exit,
ReportCaller: false,
}
log.L = logrus.NewEntry(logger)
tests := []struct {
name string
args *criconfig.Config
message string
}{
{
name: "args is not nil,print warning",
args: &config,
message: "Provided base runtime spec includes inheritable capabilities, which may be unsafe. See CVE-2022-24769 for more details.",
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
loadBaseOCISpecs(tt.args)
readAll, _ := io.ReadAll(&buffer)
if tt.message != "" {
assert.Contains(t, string(readAll), tt.message)
}
})
}
}