From 2d997859def73e23c01589a0ba3e3218a6b8a2f3 Mon Sep 17 00:00:00 2001 From: Antonio Murdaca Date: Fri, 12 May 2017 16:33:29 +0200 Subject: [PATCH 1/3] vendor: bump oci/runtime-tools to fix caps drop Signed-off-by: Antonio Murdaca --- lock.json | 6 ++-- .../cmd/oci-runtime-tool/generate.go | 5 +++ .../completions/bash/oci-runtime-tool | 1 + .../runtime-tools/generate/generate.go | 8 ++--- .../man/oci-runtime-tool-generate.1.md | 3 ++ .../runtime-tools/validate/validate.go | 31 ++++--------------- 6 files changed, 21 insertions(+), 33 deletions(-) diff --git a/lock.json b/lock.json index c3dc4485..46c4cc9b 100644 --- a/lock.json +++ b/lock.json @@ -1,5 +1,5 @@ { - "memo": "5791d48b7e77e9f18a26535dfb184838f1d863f5d364fc9907cf16b6013e9846", + "memo": "a13cb8f78972694597c79648073de6966e267da85e1a2bcb70d2a0fdd8e8ddec", "projects": [ { "name": "cloud.google.com/go", @@ -523,6 +523,8 @@ "revision": "b263a43430ac6996a4302b891688544225197294", "packages": [ "libcontainer/apparmor", + "libcontainer/configs", + "libcontainer/devices", "libcontainer/system", "libcontainer/user" ] @@ -538,7 +540,7 @@ { "name": "github.com/opencontainers/runtime-tools", "branch": "master", - "revision": "18a122b45a71765b09c6a451008a63687040b74a", + "revision": "c522fd3e80dd35b292e45c5057754a746fdcfa17", "packages": [ "generate", "generate/seccomp", diff --git a/vendor/github.com/opencontainers/runtime-tools/cmd/oci-runtime-tool/generate.go b/vendor/github.com/opencontainers/runtime-tools/cmd/oci-runtime-tool/generate.go index e8aeaec8..2488b903 100644 --- a/vendor/github.com/opencontainers/runtime-tools/cmd/oci-runtime-tool/generate.go +++ b/vendor/github.com/opencontainers/runtime-tools/cmd/oci-runtime-tool/generate.go @@ -24,6 +24,7 @@ var generateFlags = []cli.Flag{ cli.StringSliceFlag{Name: "bind", Usage: "bind mount directories src:dest[:options...]"}, cli.StringSliceFlag{Name: "cap-add", Usage: "add Linux capabilities"}, cli.StringSliceFlag{Name: "cap-drop", Usage: "drop Linux capabilities"}, + cli.BoolFlag{Name: "cap-drop-all", Usage: "drop all Linux capabilities"}, cli.StringFlag{Name: "cgroups-path", Usage: "specify the path to the cgroups"}, cli.StringFlag{Name: "cwd", Value: "/", Usage: "current working directory for the process"}, cli.StringSliceFlag{Name: "device-add", Usage: "add a device which must be made available in the container"}, @@ -279,6 +280,10 @@ func setupSpec(g *generate.Generator, context *cli.Context) error { } } + if context.Bool("cap-drop-all") { + g.ClearProcessCapabilities() + } + var uidMaps, gidMaps []string if context.IsSet("uidmappings") { diff --git a/vendor/github.com/opencontainers/runtime-tools/completions/bash/oci-runtime-tool b/vendor/github.com/opencontainers/runtime-tools/completions/bash/oci-runtime-tool index 08195346..0b0cbca9 100644 --- a/vendor/github.com/opencontainers/runtime-tools/completions/bash/oci-runtime-tool +++ b/vendor/github.com/opencontainers/runtime-tools/completions/bash/oci-runtime-tool @@ -368,6 +368,7 @@ _oci-runtime-tool_generate() { " local boolean_options=" + --cap-drop-all --device-remove-all --disable-oom-kill --help -h diff --git a/vendor/github.com/opencontainers/runtime-tools/generate/generate.go b/vendor/github.com/opencontainers/runtime-tools/generate/generate.go index 737cd9e0..5ca0e315 100644 --- a/vendor/github.com/opencontainers/runtime-tools/generate/generate.go +++ b/vendor/github.com/opencontainers/runtime-tools/generate/generate.go @@ -912,35 +912,30 @@ func (g *Generator) DropProcessCapability(c string) error { for i, cap := range g.spec.Process.Capabilities.Bounding { if strings.ToUpper(cap) == cp { g.spec.Process.Capabilities.Bounding = append(g.spec.Process.Capabilities.Bounding[:i], g.spec.Process.Capabilities.Bounding[i+1:]...) - return nil } } for i, cap := range g.spec.Process.Capabilities.Effective { if strings.ToUpper(cap) == cp { g.spec.Process.Capabilities.Effective = append(g.spec.Process.Capabilities.Effective[:i], g.spec.Process.Capabilities.Effective[i+1:]...) - return nil } } for i, cap := range g.spec.Process.Capabilities.Inheritable { if strings.ToUpper(cap) == cp { g.spec.Process.Capabilities.Inheritable = append(g.spec.Process.Capabilities.Inheritable[:i], g.spec.Process.Capabilities.Inheritable[i+1:]...) - return nil } } for i, cap := range g.spec.Process.Capabilities.Permitted { if strings.ToUpper(cap) == cp { g.spec.Process.Capabilities.Permitted = append(g.spec.Process.Capabilities.Permitted[:i], g.spec.Process.Capabilities.Permitted[i+1:]...) - return nil } } for i, cap := range g.spec.Process.Capabilities.Ambient { if strings.ToUpper(cap) == cp { g.spec.Process.Capabilities.Ambient = append(g.spec.Process.Capabilities.Ambient[:i], g.spec.Process.Capabilities.Ambient[i+1:]...) - return nil } } @@ -1031,7 +1026,7 @@ func (g *Generator) AddDevice(device rspec.LinuxDevice) { g.spec.Linux.Devices = append(g.spec.Linux.Devices, device) } -//RemoveDevice remove a device from g.spec.Linux.Devices +// RemoveDevice remove a device from g.spec.Linux.Devices func (g *Generator) RemoveDevice(path string) error { if g.spec == nil || g.spec.Linux == nil || g.spec.Linux.Devices == nil { return nil @@ -1046,6 +1041,7 @@ func (g *Generator) RemoveDevice(path string) error { return nil } +// ClearLinuxDevices clears g.spec.Linux.Devices func (g *Generator) ClearLinuxDevices() { if g.spec == nil || g.spec.Linux == nil || g.spec.Linux.Devices == nil { return diff --git a/vendor/github.com/opencontainers/runtime-tools/man/oci-runtime-tool-generate.1.md b/vendor/github.com/opencontainers/runtime-tools/man/oci-runtime-tool-generate.1.md index 32bdcffa..e497ad4c 100644 --- a/vendor/github.com/opencontainers/runtime-tools/man/oci-runtime-tool-generate.1.md +++ b/vendor/github.com/opencontainers/runtime-tools/man/oci-runtime-tool-generate.1.md @@ -45,6 +45,9 @@ read the configuration from `config.json`. **--cap-drop**=[] Drop Linux capabilities +**--cap-drop-all**true|false + Drop all Linux capabilities + **--cgroups-path**="" Specifies the path to the cgroups relative to the cgroups mount point. diff --git a/vendor/github.com/opencontainers/runtime-tools/validate/validate.go b/vendor/github.com/opencontainers/runtime-tools/validate/validate.go index 95172e9a..b7260f9b 100644 --- a/vendor/github.com/opencontainers/runtime-tools/validate/validate.go +++ b/vendor/github.com/opencontainers/runtime-tools/validate/validate.go @@ -40,22 +40,6 @@ var ( "RLIMIT_SIGPENDING", "RLIMIT_STACK", } - defaultCaps = []string{ - "CAP_CHOWN", - "CAP_DAC_OVERRIDE", - "CAP_FSETID", - "CAP_FOWNER", - "CAP_MKNOD", - "CAP_NET_RAW", - "CAP_SETGID", - "CAP_SETUID", - "CAP_SETFCAP", - "CAP_SETPCAP", - "CAP_NET_BIND_SERVICE", - "CAP_SYS_CHROOT", - "CAP_KILL", - "CAP_AUDIT_WRITE", - } ) // Validator represents a validator for runtime bundle @@ -275,7 +259,7 @@ func (v *Validator) CheckProcess() (msgs []string) { } } - msgs = append(msgs, v.CheckCapablities()...) + msgs = append(msgs, v.CheckCapabilities()...) msgs = append(msgs, v.CheckRlimits()...) if v.spec.Platform.OS == "linux" { @@ -292,7 +276,8 @@ func (v *Validator) CheckProcess() (msgs []string) { return } -func (v *Validator) CheckCapablities() (msgs []string) { +// CheckCapabilities checks v.spec.Process.Capabilities +func (v *Validator) CheckCapabilities() (msgs []string) { process := v.spec.Process if v.spec.Platform.OS == "linux" { var caps []string @@ -325,6 +310,7 @@ func (v *Validator) CheckCapablities() (msgs []string) { return } +// CheckRlimits checks v.spec.Process.Rlimits func (v *Validator) CheckRlimits() (msgs []string) { process := v.spec.Process for index, rlimit := range process.Rlimits { @@ -700,13 +686,8 @@ func namespaceValid(ns rspec.LinuxNamespace) bool { func deviceValid(d rspec.LinuxDevice) bool { switch d.Type { - case "b": - case "c": - case "u": - if d.Major <= 0 { - return false - } - if d.Minor <= 0 { + case "b", "c", "u": + if d.Major <= 0 || d.Minor <= 0 { return false } case "p": From 9b48e83027d567082e9f2a4577f1ff8b1c840ea4 Mon Sep 17 00:00:00 2001 From: Antonio Murdaca Date: Fri, 12 May 2017 18:20:34 +0200 Subject: [PATCH 2/3] test: add caps drop test Signed-off-by: Antonio Murdaca --- test/ctr.bats | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/test/ctr.bats b/test/ctr.bats index 375fc8bf..3fe429ea 100644 --- a/test/ctr.bats +++ b/test/ctr.bats @@ -556,3 +556,20 @@ function teardown() { cleanup_pods stop_ocid } + +@test "ctr caps drop" { + start_ocid + run ocic pod run --config "$TESTDATA"/sandbox_config.json + echo "$output" + [ "$status" -eq 0 ] + pod_id="$output" + capsconfig=$(cat "$TESTDATA"/container_config.json | python -c 'import json,sys;obj=json.load(sys.stdin);obj["linux"]["security_context"]["capabilities"] = {u"add_capabilities": [], u"drop_capabilities": [u"mknod", u"kill", u"sys_chroot", u"setuid", u"setgid"]}; json.dump(obj, sys.stdout)') + echo "$capsconfig" > "$TESTDIR"/container_config_caps.json + run ocic ctr create --config "$TESTDIR"/container_config_caps.json --pod "$pod_id" + echo "$output" + [ "$status" -eq 0 ] + + cleanup_ctrs + cleanup_pods + stop_ocid +} From 712df31f9cb4028d415dca21789489a9249e2b18 Mon Sep 17 00:00:00 2001 From: Antonio Murdaca Date: Fri, 12 May 2017 18:55:14 +0200 Subject: [PATCH 3/3] Makefile: clean and rebuild binaries before testing if you run `make localintegration` from a branch, switch to another and re-run the command again, `ocid` won't get built again causing tests to run with binaries from the old branch you switched from. This patch makes sure we cleanup binaries and rebuild before running tests. Signed-off-by: Antonio Murdaca --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 9e211a3c..31d0a69e 100644 --- a/Makefile +++ b/Makefile @@ -107,7 +107,7 @@ dbuild: ocidimage integration: ocidimage docker run -e TESTFLAGS -e TRAVIS -t --privileged --rm -v ${CURDIR}:/go/src/${PROJECT} ${OCID_IMAGE} make localintegration -localintegration: binaries +localintegration: clean binaries ./test/test_runner.sh ${TESTFLAGS} binaries: ocid ocic kpod conmon pause bin2img copyimg checkseccomp