allowPrivilegeEscalation: modify api types & add functionality
Signed-off-by: Jess Frazelle <acidburn@google.com>
This commit is contained in:
Jess Frazelle
@@ -133,6 +133,11 @@ func DetermineEffectiveSecurityContext(pod *v1.Pod, container *v1.Container) *v1
|
||||
*effectiveSc.ReadOnlyRootFilesystem = *containerSc.ReadOnlyRootFilesystem
|
||||
}
|
||||
|
||||
if containerSc.AllowPrivilegeEscalation != nil {
|
||||
effectiveSc.AllowPrivilegeEscalation = new(bool)
|
||||
*effectiveSc.AllowPrivilegeEscalation = *containerSc.AllowPrivilegeEscalation
|
||||
}
|
||||
|
||||
return effectiveSc
|
||||
}
|
||||
|
||||
@@ -205,6 +210,11 @@ func InternalDetermineEffectiveSecurityContext(pod *api.Pod, container *api.Cont
|
||||
*effectiveSc.ReadOnlyRootFilesystem = *containerSc.ReadOnlyRootFilesystem
|
||||
}
|
||||
|
||||
if containerSc.AllowPrivilegeEscalation != nil {
|
||||
effectiveSc.AllowPrivilegeEscalation = new(bool)
|
||||
*effectiveSc.AllowPrivilegeEscalation = *containerSc.AllowPrivilegeEscalation
|
||||
}
|
||||
|
||||
return effectiveSc
|
||||
}
|
||||
|
||||
@@ -231,3 +241,38 @@ func internalSecurityContextFromPodSecurityContext(pod *api.Pod) *api.SecurityCo
|
||||
|
||||
return synthesized
|
||||
}
|
||||
|
||||
// AddNoNewPrivileges returns if we should add the no_new_privs option. This will return true if:
|
||||
// 1) the container is not privileged
|
||||
// 2) CAP_SYS_ADMIN is not being added
|
||||
// 3) if podSecurityPolicy.DefaultAllowPrivilegeEscalation is:
|
||||
// - nil, then return false
|
||||
// - true, then return false
|
||||
// - false, then return true
|
||||
func AddNoNewPrivileges(sc *v1.SecurityContext) bool {
|
||||
if sc == nil {
|
||||
return false
|
||||
}
|
||||
|
||||
// handle the case where the container is privileged
|
||||
if sc.Privileged != nil && *sc.Privileged {
|
||||
return false
|
||||
}
|
||||
|
||||
// handle the case where we are adding CAP_SYS_ADMIN
|
||||
if sc.Capabilities != nil {
|
||||
for _, cap := range sc.Capabilities.Add {
|
||||
if string(cap) == "CAP_SYS_ADMIN" {
|
||||
return false
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// handle the case where the user did not set the default and did not explicitly set allowPrivilegeEscalation
|
||||
if sc.AllowPrivilegeEscalation == nil {
|
||||
return false
|
||||
}
|
||||
|
||||
// handle the case where defaultAllowPrivilegeEscalation is false or the user explicitly set allowPrivilegeEscalation to true/false
|
||||
return !*sc.AllowPrivilegeEscalation
|
||||
}
|
||||
|
||||
@@ -176,3 +176,100 @@ func TestHasRootRunAsUser(t *testing.T) {
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
func TestAddNoNewPrivileges(t *testing.T) {
|
||||
var nonRoot int64 = 1000
|
||||
var root int64 = 0
|
||||
pfalse := false
|
||||
ptrue := true
|
||||
|
||||
tests := map[string]struct {
|
||||
sc v1.SecurityContext
|
||||
expect bool
|
||||
}{
|
||||
"allowPrivilegeEscalation nil security context nil": {},
|
||||
"allowPrivilegeEscalation nil capAddSysadmin": {
|
||||
sc: v1.SecurityContext{
|
||||
Capabilities: &v1.Capabilities{
|
||||
Add: []v1.Capability{"CAP_SYS_ADMIN"},
|
||||
},
|
||||
},
|
||||
},
|
||||
"allowPrivilegeEscalation nil privileged": {
|
||||
sc: v1.SecurityContext{
|
||||
Privileged: &ptrue,
|
||||
},
|
||||
},
|
||||
"allowPrivilegeEscalation nil nonRoot": {
|
||||
sc: v1.SecurityContext{
|
||||
RunAsUser: &nonRoot,
|
||||
},
|
||||
},
|
||||
"allowPrivilegeEscalation nil root": {
|
||||
sc: v1.SecurityContext{
|
||||
RunAsUser: &root,
|
||||
},
|
||||
},
|
||||
"allowPrivilegeEscalation false capAddSysadmin": {
|
||||
sc: v1.SecurityContext{
|
||||
Capabilities: &v1.Capabilities{
|
||||
Add: []v1.Capability{"CAP_SYS_ADMIN"},
|
||||
},
|
||||
AllowPrivilegeEscalation: &pfalse,
|
||||
},
|
||||
},
|
||||
"allowPrivilegeEscalation false privileged": {
|
||||
sc: v1.SecurityContext{
|
||||
Privileged: &ptrue,
|
||||
AllowPrivilegeEscalation: &pfalse,
|
||||
},
|
||||
},
|
||||
"allowPrivilegeEscalation false nonRoot": {
|
||||
sc: v1.SecurityContext{
|
||||
RunAsUser: &nonRoot,
|
||||
AllowPrivilegeEscalation: &pfalse,
|
||||
},
|
||||
expect: true,
|
||||
},
|
||||
"allowPrivilegeEscalation false root": {
|
||||
sc: v1.SecurityContext{
|
||||
RunAsUser: &root,
|
||||
AllowPrivilegeEscalation: &pfalse,
|
||||
},
|
||||
expect: true,
|
||||
},
|
||||
"allowPrivilegeEscalation true capAddSysadmin": {
|
||||
sc: v1.SecurityContext{
|
||||
Capabilities: &v1.Capabilities{
|
||||
Add: []v1.Capability{"CAP_SYS_ADMIN"},
|
||||
},
|
||||
AllowPrivilegeEscalation: &ptrue,
|
||||
},
|
||||
},
|
||||
"allowPrivilegeEscalation true privileged": {
|
||||
sc: v1.SecurityContext{
|
||||
Privileged: &ptrue,
|
||||
AllowPrivilegeEscalation: &ptrue,
|
||||
},
|
||||
},
|
||||
"allowPrivilegeEscalation true nonRoot": {
|
||||
sc: v1.SecurityContext{
|
||||
RunAsUser: &nonRoot,
|
||||
AllowPrivilegeEscalation: &ptrue,
|
||||
},
|
||||
},
|
||||
"allowPrivilegeEscalation true root": {
|
||||
sc: v1.SecurityContext{
|
||||
RunAsUser: &root,
|
||||
AllowPrivilegeEscalation: &ptrue,
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
for k, v := range tests {
|
||||
actual := AddNoNewPrivileges(&v.sc)
|
||||
if actual != v.expect {
|
||||
t.Errorf("%s failed, expected %t but received %t", k, v.expect, actual)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user