AllowPrivilegeEscalation: add validations for caps and privileged

Signed-off-by: Jess Frazelle <acidburn@microsoft.com>
2017-09-21 18:35:06 -04:00
parent d699a6f30c
commit 0ad51ed763
4 changed files with 52 additions and 61 deletions
--- a/pkg/securitycontext/util.go
+++ b/pkg/securitycontext/util.go
@@ -242,32 +242,12 @@ func internalSecurityContextFromPodSecurityContext(pod *api.Pod) *api.SecurityCo
 	return synthesized
 }

-// AddNoNewPrivileges returns if we should add the no_new_privs option. This will return true if:
-// 1) the container is not privileged
-// 2) CAP_SYS_ADMIN is not being added
-// 3) if podSecurityPolicy.DefaultAllowPrivilegeEscalation is:
-//		- nil, then return false
-//		- true, then return false
-//		- false, then return true
+// AddNoNewPrivileges returns if we should add the no_new_privs option.
 func AddNoNewPrivileges(sc *v1.SecurityContext) bool {
 	if sc == nil {
 		return false
 	}

-	// handle the case where the container is privileged
-	if sc.Privileged != nil && *sc.Privileged {
-		return false
-	}
-
-	// handle the case where we are adding CAP_SYS_ADMIN
-	if sc.Capabilities != nil {
-		for _, cap := range sc.Capabilities.Add {
-			if string(cap) == "CAP_SYS_ADMIN" {
-				return false
-			}
-		}
-	}
-
 	// handle the case where the user did not set the default and did not explicitly set allowPrivilegeEscalation
 	if sc.AllowPrivilegeEscalation == nil {
 		return false
--- a/pkg/securitycontext/util_test.go
+++ b/pkg/securitycontext/util_test.go
@@ -188,18 +188,6 @@ func TestAddNoNewPrivileges(t *testing.T) {
 		expect bool
 	}{
 		"allowPrivilegeEscalation nil security context nil": {},
-		"allowPrivilegeEscalation nil capAddSysadmin": {
-			sc: v1.SecurityContext{
-				Capabilities: &v1.Capabilities{
-					Add: []v1.Capability{"CAP_SYS_ADMIN"},
-				},
-			},
-		},
-		"allowPrivilegeEscalation nil privileged": {
-			sc: v1.SecurityContext{
-				Privileged: &ptrue,
-			},
-		},
 		"allowPrivilegeEscalation nil nonRoot": {
 			sc: v1.SecurityContext{
 				RunAsUser: &nonRoot,
@@ -210,20 +198,6 @@ func TestAddNoNewPrivileges(t *testing.T) {
 				RunAsUser: &root,
 			},
 		},
-		"allowPrivilegeEscalation false capAddSysadmin": {
-			sc: v1.SecurityContext{
-				Capabilities: &v1.Capabilities{
-					Add: []v1.Capability{"CAP_SYS_ADMIN"},
-				},
-				AllowPrivilegeEscalation: &pfalse,
-			},
-		},
-		"allowPrivilegeEscalation false privileged": {
-			sc: v1.SecurityContext{
-				Privileged:               &ptrue,
-				AllowPrivilegeEscalation: &pfalse,
-			},
-		},
 		"allowPrivilegeEscalation false nonRoot": {
 			sc: v1.SecurityContext{
 				RunAsUser:                &nonRoot,
@@ -238,20 +212,6 @@ func TestAddNoNewPrivileges(t *testing.T) {
 			},
 			expect: true,
 		},
-		"allowPrivilegeEscalation true capAddSysadmin": {
-			sc: v1.SecurityContext{
-				Capabilities: &v1.Capabilities{
-					Add: []v1.Capability{"CAP_SYS_ADMIN"},
-				},
-				AllowPrivilegeEscalation: &ptrue,
-			},
-		},
-		"allowPrivilegeEscalation true privileged": {
-			sc: v1.SecurityContext{
-				Privileged:               &ptrue,
-				AllowPrivilegeEscalation: &ptrue,
-			},
-		},
 		"allowPrivilegeEscalation true nonRoot": {
 			sc: v1.SecurityContext{
 				RunAsUser:                &nonRoot,