vendor: bump oci/runtime-tools to fix caps drop

Signed-off-by: Antonio Murdaca <runcom@redhat.com>
This commit is contained in:
Antonio Murdaca 2017-05-12 16:33:29 +02:00
parent c533e5e34b
commit 2d997859de
No known key found for this signature in database
GPG key ID: B2BEAD150DE936B9
6 changed files with 21 additions and 33 deletions

View file

@ -1,5 +1,5 @@
{
"memo": "5791d48b7e77e9f18a26535dfb184838f1d863f5d364fc9907cf16b6013e9846",
"memo": "a13cb8f78972694597c79648073de6966e267da85e1a2bcb70d2a0fdd8e8ddec",
"projects": [
{
"name": "cloud.google.com/go",
@ -523,6 +523,8 @@
"revision": "b263a43430ac6996a4302b891688544225197294",
"packages": [
"libcontainer/apparmor",
"libcontainer/configs",
"libcontainer/devices",
"libcontainer/system",
"libcontainer/user"
]
@ -538,7 +540,7 @@
{
"name": "github.com/opencontainers/runtime-tools",
"branch": "master",
"revision": "18a122b45a71765b09c6a451008a63687040b74a",
"revision": "c522fd3e80dd35b292e45c5057754a746fdcfa17",
"packages": [
"generate",
"generate/seccomp",

View file

@ -24,6 +24,7 @@ var generateFlags = []cli.Flag{
cli.StringSliceFlag{Name: "bind", Usage: "bind mount directories src:dest[:options...]"},
cli.StringSliceFlag{Name: "cap-add", Usage: "add Linux capabilities"},
cli.StringSliceFlag{Name: "cap-drop", Usage: "drop Linux capabilities"},
cli.BoolFlag{Name: "cap-drop-all", Usage: "drop all Linux capabilities"},
cli.StringFlag{Name: "cgroups-path", Usage: "specify the path to the cgroups"},
cli.StringFlag{Name: "cwd", Value: "/", Usage: "current working directory for the process"},
cli.StringSliceFlag{Name: "device-add", Usage: "add a device which must be made available in the container"},
@ -279,6 +280,10 @@ func setupSpec(g *generate.Generator, context *cli.Context) error {
}
}
if context.Bool("cap-drop-all") {
g.ClearProcessCapabilities()
}
var uidMaps, gidMaps []string
if context.IsSet("uidmappings") {

View file

@ -368,6 +368,7 @@ _oci-runtime-tool_generate() {
"
local boolean_options="
--cap-drop-all
--device-remove-all
--disable-oom-kill
--help -h

View file

@ -912,35 +912,30 @@ func (g *Generator) DropProcessCapability(c string) error {
for i, cap := range g.spec.Process.Capabilities.Bounding {
if strings.ToUpper(cap) == cp {
g.spec.Process.Capabilities.Bounding = append(g.spec.Process.Capabilities.Bounding[:i], g.spec.Process.Capabilities.Bounding[i+1:]...)
return nil
}
}
for i, cap := range g.spec.Process.Capabilities.Effective {
if strings.ToUpper(cap) == cp {
g.spec.Process.Capabilities.Effective = append(g.spec.Process.Capabilities.Effective[:i], g.spec.Process.Capabilities.Effective[i+1:]...)
return nil
}
}
for i, cap := range g.spec.Process.Capabilities.Inheritable {
if strings.ToUpper(cap) == cp {
g.spec.Process.Capabilities.Inheritable = append(g.spec.Process.Capabilities.Inheritable[:i], g.spec.Process.Capabilities.Inheritable[i+1:]...)
return nil
}
}
for i, cap := range g.spec.Process.Capabilities.Permitted {
if strings.ToUpper(cap) == cp {
g.spec.Process.Capabilities.Permitted = append(g.spec.Process.Capabilities.Permitted[:i], g.spec.Process.Capabilities.Permitted[i+1:]...)
return nil
}
}
for i, cap := range g.spec.Process.Capabilities.Ambient {
if strings.ToUpper(cap) == cp {
g.spec.Process.Capabilities.Ambient = append(g.spec.Process.Capabilities.Ambient[:i], g.spec.Process.Capabilities.Ambient[i+1:]...)
return nil
}
}
@ -1031,7 +1026,7 @@ func (g *Generator) AddDevice(device rspec.LinuxDevice) {
g.spec.Linux.Devices = append(g.spec.Linux.Devices, device)
}
//RemoveDevice remove a device from g.spec.Linux.Devices
// RemoveDevice remove a device from g.spec.Linux.Devices
func (g *Generator) RemoveDevice(path string) error {
if g.spec == nil || g.spec.Linux == nil || g.spec.Linux.Devices == nil {
return nil
@ -1046,6 +1041,7 @@ func (g *Generator) RemoveDevice(path string) error {
return nil
}
// ClearLinuxDevices clears g.spec.Linux.Devices
func (g *Generator) ClearLinuxDevices() {
if g.spec == nil || g.spec.Linux == nil || g.spec.Linux.Devices == nil {
return

View file

@ -45,6 +45,9 @@ read the configuration from `config.json`.
**--cap-drop**=[]
Drop Linux capabilities
**--cap-drop-all**true|false
Drop all Linux capabilities
**--cgroups-path**=""
Specifies the path to the cgroups relative to the cgroups mount point.

View file

@ -40,22 +40,6 @@ var (
"RLIMIT_SIGPENDING",
"RLIMIT_STACK",
}
defaultCaps = []string{
"CAP_CHOWN",
"CAP_DAC_OVERRIDE",
"CAP_FSETID",
"CAP_FOWNER",
"CAP_MKNOD",
"CAP_NET_RAW",
"CAP_SETGID",
"CAP_SETUID",
"CAP_SETFCAP",
"CAP_SETPCAP",
"CAP_NET_BIND_SERVICE",
"CAP_SYS_CHROOT",
"CAP_KILL",
"CAP_AUDIT_WRITE",
}
)
// Validator represents a validator for runtime bundle
@ -275,7 +259,7 @@ func (v *Validator) CheckProcess() (msgs []string) {
}
}
msgs = append(msgs, v.CheckCapablities()...)
msgs = append(msgs, v.CheckCapabilities()...)
msgs = append(msgs, v.CheckRlimits()...)
if v.spec.Platform.OS == "linux" {
@ -292,7 +276,8 @@ func (v *Validator) CheckProcess() (msgs []string) {
return
}
func (v *Validator) CheckCapablities() (msgs []string) {
// CheckCapabilities checks v.spec.Process.Capabilities
func (v *Validator) CheckCapabilities() (msgs []string) {
process := v.spec.Process
if v.spec.Platform.OS == "linux" {
var caps []string
@ -325,6 +310,7 @@ func (v *Validator) CheckCapablities() (msgs []string) {
return
}
// CheckRlimits checks v.spec.Process.Rlimits
func (v *Validator) CheckRlimits() (msgs []string) {
process := v.spec.Process
for index, rlimit := range process.Rlimits {
@ -700,13 +686,8 @@ func namespaceValid(ns rspec.LinuxNamespace) bool {
func deviceValid(d rspec.LinuxDevice) bool {
switch d.Type {
case "b":
case "c":
case "u":
if d.Major <= 0 {
return false
}
if d.Minor <= 0 {
case "b", "c", "u":
if d.Major <= 0 || d.Minor <= 0 {
return false
}
case "p":