f3cdfc488e
runc rc95 contains a fix for CVE-2021-30465. runc rc94 provides fixes and improvements. One notable change is cgroup manager's Set now accept Resources rather than Cgroup (see https://github.com/opencontainers/runc/pull/2906). Modify the code accordingly. Also update runc dependencies (as hinted by hack/lint-depdendencies.sh): github.com/cilium/ebpf v0.5.0 github.com/containerd/console v1.0.2 github.com/coreos/go-systemd/v22 v22.3.1 github.com/godbus/dbus/v5 v5.0.4 github.com/moby/sys/mountinfo v0.4.1 golang.org/x/sys v0.0.0-20210426230700-d19ff857e887 github.com/google/go-cmp v0.5.4 github.com/kr/pretty v0.2.1 github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417 Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
112 lines
3.0 KiB
Go
112 lines
3.0 KiB
Go
// +build linux
|
|
|
|
package capabilities
|
|
|
|
import (
|
|
"sort"
|
|
"strings"
|
|
|
|
"github.com/opencontainers/runc/libcontainer/configs"
|
|
"github.com/sirupsen/logrus"
|
|
"github.com/syndtr/gocapability/capability"
|
|
)
|
|
|
|
const allCapabilityTypes = capability.CAPS | capability.BOUNDING | capability.AMBIENT
|
|
|
|
var (
|
|
capabilityMap map[string]capability.Cap
|
|
capTypes = []capability.CapType{
|
|
capability.BOUNDING,
|
|
capability.PERMITTED,
|
|
capability.INHERITABLE,
|
|
capability.EFFECTIVE,
|
|
capability.AMBIENT,
|
|
}
|
|
)
|
|
|
|
func init() {
|
|
capabilityMap = make(map[string]capability.Cap, capability.CAP_LAST_CAP+1)
|
|
for _, c := range capability.List() {
|
|
if c > capability.CAP_LAST_CAP {
|
|
continue
|
|
}
|
|
capabilityMap["CAP_"+strings.ToUpper(c.String())] = c
|
|
}
|
|
}
|
|
|
|
// New creates a new Caps from the given Capabilities config. Unknown Capabilities
|
|
// or Capabilities that are unavailable in the current environment are ignored,
|
|
// printing a warning instead.
|
|
func New(capConfig *configs.Capabilities) (*Caps, error) {
|
|
var (
|
|
err error
|
|
c Caps
|
|
)
|
|
|
|
unknownCaps := make(map[string]struct{})
|
|
c.caps = map[capability.CapType][]capability.Cap{
|
|
capability.BOUNDING: capSlice(capConfig.Bounding, unknownCaps),
|
|
capability.EFFECTIVE: capSlice(capConfig.Effective, unknownCaps),
|
|
capability.INHERITABLE: capSlice(capConfig.Inheritable, unknownCaps),
|
|
capability.PERMITTED: capSlice(capConfig.Permitted, unknownCaps),
|
|
capability.AMBIENT: capSlice(capConfig.Ambient, unknownCaps),
|
|
}
|
|
if c.pid, err = capability.NewPid2(0); err != nil {
|
|
return nil, err
|
|
}
|
|
if err = c.pid.Load(); err != nil {
|
|
return nil, err
|
|
}
|
|
if len(unknownCaps) > 0 {
|
|
logrus.Warn("ignoring unknown or unavailable capabilities: ", mapKeys(unknownCaps))
|
|
}
|
|
return &c, nil
|
|
}
|
|
|
|
// capSlice converts the slice of capability names in caps, to their numeric
|
|
// equivalent, and returns them as a slice. Unknown or unavailable capabilities
|
|
// are not returned, but appended to unknownCaps.
|
|
func capSlice(caps []string, unknownCaps map[string]struct{}) []capability.Cap {
|
|
var out []capability.Cap
|
|
for _, c := range caps {
|
|
if v, ok := capabilityMap[c]; !ok {
|
|
unknownCaps[c] = struct{}{}
|
|
} else {
|
|
out = append(out, v)
|
|
}
|
|
}
|
|
return out
|
|
}
|
|
|
|
// mapKeys returns the keys of input in sorted order
|
|
func mapKeys(input map[string]struct{}) []string {
|
|
var keys []string
|
|
for c := range input {
|
|
keys = append(keys, c)
|
|
}
|
|
sort.Strings(keys)
|
|
return keys
|
|
}
|
|
|
|
// Caps holds the capabilities for a container.
|
|
type Caps struct {
|
|
pid capability.Capabilities
|
|
caps map[capability.CapType][]capability.Cap
|
|
}
|
|
|
|
// ApplyBoundingSet sets the capability bounding set to those specified in the whitelist.
|
|
func (c *Caps) ApplyBoundingSet() error {
|
|
c.pid.Clear(capability.BOUNDING)
|
|
c.pid.Set(capability.BOUNDING, c.caps[capability.BOUNDING]...)
|
|
return c.pid.Apply(capability.BOUNDING)
|
|
}
|
|
|
|
// Apply sets all the capabilities for the current process in the config.
|
|
func (c *Caps) ApplyCaps() error {
|
|
c.pid.Clear(allCapabilityTypes)
|
|
for _, g := range capTypes {
|
|
c.pid.Set(g, c.caps[g]...)
|
|
}
|
|
return c.pid.Apply(allCapabilityTypes)
|
|
}
|