Merge pull request #507 from runcom/fix-caps-drop
vendor: bump oci/runtime-tools to fix caps drop
This commit is contained in:
commit
7465244d7d
8 changed files with 39 additions and 34 deletions
2
Makefile
2
Makefile
|
@ -107,7 +107,7 @@ dbuild: ocidimage
|
|||
integration: ocidimage
|
||||
docker run -e TESTFLAGS -e TRAVIS -t --privileged --rm -v ${CURDIR}:/go/src/${PROJECT} ${OCID_IMAGE} make localintegration
|
||||
|
||||
localintegration: binaries
|
||||
localintegration: clean binaries
|
||||
./test/test_runner.sh ${TESTFLAGS}
|
||||
|
||||
binaries: ocid ocic kpod conmon pause bin2img copyimg checkseccomp
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
{
|
||||
"memo": "5791d48b7e77e9f18a26535dfb184838f1d863f5d364fc9907cf16b6013e9846",
|
||||
"memo": "a13cb8f78972694597c79648073de6966e267da85e1a2bcb70d2a0fdd8e8ddec",
|
||||
"projects": [
|
||||
{
|
||||
"name": "cloud.google.com/go",
|
||||
|
@ -523,6 +523,8 @@
|
|||
"revision": "b263a43430ac6996a4302b891688544225197294",
|
||||
"packages": [
|
||||
"libcontainer/apparmor",
|
||||
"libcontainer/configs",
|
||||
"libcontainer/devices",
|
||||
"libcontainer/system",
|
||||
"libcontainer/user"
|
||||
]
|
||||
|
@ -538,7 +540,7 @@
|
|||
{
|
||||
"name": "github.com/opencontainers/runtime-tools",
|
||||
"branch": "master",
|
||||
"revision": "18a122b45a71765b09c6a451008a63687040b74a",
|
||||
"revision": "c522fd3e80dd35b292e45c5057754a746fdcfa17",
|
||||
"packages": [
|
||||
"generate",
|
||||
"generate/seccomp",
|
||||
|
|
|
@ -556,3 +556,20 @@ function teardown() {
|
|||
cleanup_pods
|
||||
stop_ocid
|
||||
}
|
||||
|
||||
@test "ctr caps drop" {
|
||||
start_ocid
|
||||
run ocic pod run --config "$TESTDATA"/sandbox_config.json
|
||||
echo "$output"
|
||||
[ "$status" -eq 0 ]
|
||||
pod_id="$output"
|
||||
capsconfig=$(cat "$TESTDATA"/container_config.json | python -c 'import json,sys;obj=json.load(sys.stdin);obj["linux"]["security_context"]["capabilities"] = {u"add_capabilities": [], u"drop_capabilities": [u"mknod", u"kill", u"sys_chroot", u"setuid", u"setgid"]}; json.dump(obj, sys.stdout)')
|
||||
echo "$capsconfig" > "$TESTDIR"/container_config_caps.json
|
||||
run ocic ctr create --config "$TESTDIR"/container_config_caps.json --pod "$pod_id"
|
||||
echo "$output"
|
||||
[ "$status" -eq 0 ]
|
||||
|
||||
cleanup_ctrs
|
||||
cleanup_pods
|
||||
stop_ocid
|
||||
}
|
||||
|
|
5
vendor/github.com/opencontainers/runtime-tools/cmd/oci-runtime-tool/generate.go
generated
vendored
5
vendor/github.com/opencontainers/runtime-tools/cmd/oci-runtime-tool/generate.go
generated
vendored
|
@ -24,6 +24,7 @@ var generateFlags = []cli.Flag{
|
|||
cli.StringSliceFlag{Name: "bind", Usage: "bind mount directories src:dest[:options...]"},
|
||||
cli.StringSliceFlag{Name: "cap-add", Usage: "add Linux capabilities"},
|
||||
cli.StringSliceFlag{Name: "cap-drop", Usage: "drop Linux capabilities"},
|
||||
cli.BoolFlag{Name: "cap-drop-all", Usage: "drop all Linux capabilities"},
|
||||
cli.StringFlag{Name: "cgroups-path", Usage: "specify the path to the cgroups"},
|
||||
cli.StringFlag{Name: "cwd", Value: "/", Usage: "current working directory for the process"},
|
||||
cli.StringSliceFlag{Name: "device-add", Usage: "add a device which must be made available in the container"},
|
||||
|
@ -279,6 +280,10 @@ func setupSpec(g *generate.Generator, context *cli.Context) error {
|
|||
}
|
||||
}
|
||||
|
||||
if context.Bool("cap-drop-all") {
|
||||
g.ClearProcessCapabilities()
|
||||
}
|
||||
|
||||
var uidMaps, gidMaps []string
|
||||
|
||||
if context.IsSet("uidmappings") {
|
||||
|
|
1
vendor/github.com/opencontainers/runtime-tools/completions/bash/oci-runtime-tool
generated
vendored
1
vendor/github.com/opencontainers/runtime-tools/completions/bash/oci-runtime-tool
generated
vendored
|
@ -368,6 +368,7 @@ _oci-runtime-tool_generate() {
|
|||
"
|
||||
|
||||
local boolean_options="
|
||||
--cap-drop-all
|
||||
--device-remove-all
|
||||
--disable-oom-kill
|
||||
--help -h
|
||||
|
|
6
vendor/github.com/opencontainers/runtime-tools/generate/generate.go
generated
vendored
6
vendor/github.com/opencontainers/runtime-tools/generate/generate.go
generated
vendored
|
@ -912,35 +912,30 @@ func (g *Generator) DropProcessCapability(c string) error {
|
|||
for i, cap := range g.spec.Process.Capabilities.Bounding {
|
||||
if strings.ToUpper(cap) == cp {
|
||||
g.spec.Process.Capabilities.Bounding = append(g.spec.Process.Capabilities.Bounding[:i], g.spec.Process.Capabilities.Bounding[i+1:]...)
|
||||
return nil
|
||||
}
|
||||
}
|
||||
|
||||
for i, cap := range g.spec.Process.Capabilities.Effective {
|
||||
if strings.ToUpper(cap) == cp {
|
||||
g.spec.Process.Capabilities.Effective = append(g.spec.Process.Capabilities.Effective[:i], g.spec.Process.Capabilities.Effective[i+1:]...)
|
||||
return nil
|
||||
}
|
||||
}
|
||||
|
||||
for i, cap := range g.spec.Process.Capabilities.Inheritable {
|
||||
if strings.ToUpper(cap) == cp {
|
||||
g.spec.Process.Capabilities.Inheritable = append(g.spec.Process.Capabilities.Inheritable[:i], g.spec.Process.Capabilities.Inheritable[i+1:]...)
|
||||
return nil
|
||||
}
|
||||
}
|
||||
|
||||
for i, cap := range g.spec.Process.Capabilities.Permitted {
|
||||
if strings.ToUpper(cap) == cp {
|
||||
g.spec.Process.Capabilities.Permitted = append(g.spec.Process.Capabilities.Permitted[:i], g.spec.Process.Capabilities.Permitted[i+1:]...)
|
||||
return nil
|
||||
}
|
||||
}
|
||||
|
||||
for i, cap := range g.spec.Process.Capabilities.Ambient {
|
||||
if strings.ToUpper(cap) == cp {
|
||||
g.spec.Process.Capabilities.Ambient = append(g.spec.Process.Capabilities.Ambient[:i], g.spec.Process.Capabilities.Ambient[i+1:]...)
|
||||
return nil
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -1046,6 +1041,7 @@ func (g *Generator) RemoveDevice(path string) error {
|
|||
return nil
|
||||
}
|
||||
|
||||
// ClearLinuxDevices clears g.spec.Linux.Devices
|
||||
func (g *Generator) ClearLinuxDevices() {
|
||||
if g.spec == nil || g.spec.Linux == nil || g.spec.Linux.Devices == nil {
|
||||
return
|
||||
|
|
3
vendor/github.com/opencontainers/runtime-tools/man/oci-runtime-tool-generate.1.md
generated
vendored
3
vendor/github.com/opencontainers/runtime-tools/man/oci-runtime-tool-generate.1.md
generated
vendored
|
@ -45,6 +45,9 @@ read the configuration from `config.json`.
|
|||
**--cap-drop**=[]
|
||||
Drop Linux capabilities
|
||||
|
||||
**--cap-drop-all**true|false
|
||||
Drop all Linux capabilities
|
||||
|
||||
**--cgroups-path**=""
|
||||
Specifies the path to the cgroups relative to the cgroups mount point.
|
||||
|
||||
|
|
31
vendor/github.com/opencontainers/runtime-tools/validate/validate.go
generated
vendored
31
vendor/github.com/opencontainers/runtime-tools/validate/validate.go
generated
vendored
|
@ -40,22 +40,6 @@ var (
|
|||
"RLIMIT_SIGPENDING",
|
||||
"RLIMIT_STACK",
|
||||
}
|
||||
defaultCaps = []string{
|
||||
"CAP_CHOWN",
|
||||
"CAP_DAC_OVERRIDE",
|
||||
"CAP_FSETID",
|
||||
"CAP_FOWNER",
|
||||
"CAP_MKNOD",
|
||||
"CAP_NET_RAW",
|
||||
"CAP_SETGID",
|
||||
"CAP_SETUID",
|
||||
"CAP_SETFCAP",
|
||||
"CAP_SETPCAP",
|
||||
"CAP_NET_BIND_SERVICE",
|
||||
"CAP_SYS_CHROOT",
|
||||
"CAP_KILL",
|
||||
"CAP_AUDIT_WRITE",
|
||||
}
|
||||
)
|
||||
|
||||
// Validator represents a validator for runtime bundle
|
||||
|
@ -275,7 +259,7 @@ func (v *Validator) CheckProcess() (msgs []string) {
|
|||
}
|
||||
}
|
||||
|
||||
msgs = append(msgs, v.CheckCapablities()...)
|
||||
msgs = append(msgs, v.CheckCapabilities()...)
|
||||
msgs = append(msgs, v.CheckRlimits()...)
|
||||
|
||||
if v.spec.Platform.OS == "linux" {
|
||||
|
@ -292,7 +276,8 @@ func (v *Validator) CheckProcess() (msgs []string) {
|
|||
return
|
||||
}
|
||||
|
||||
func (v *Validator) CheckCapablities() (msgs []string) {
|
||||
// CheckCapabilities checks v.spec.Process.Capabilities
|
||||
func (v *Validator) CheckCapabilities() (msgs []string) {
|
||||
process := v.spec.Process
|
||||
if v.spec.Platform.OS == "linux" {
|
||||
var caps []string
|
||||
|
@ -325,6 +310,7 @@ func (v *Validator) CheckCapablities() (msgs []string) {
|
|||
return
|
||||
}
|
||||
|
||||
// CheckRlimits checks v.spec.Process.Rlimits
|
||||
func (v *Validator) CheckRlimits() (msgs []string) {
|
||||
process := v.spec.Process
|
||||
for index, rlimit := range process.Rlimits {
|
||||
|
@ -700,13 +686,8 @@ func namespaceValid(ns rspec.LinuxNamespace) bool {
|
|||
|
||||
func deviceValid(d rspec.LinuxDevice) bool {
|
||||
switch d.Type {
|
||||
case "b":
|
||||
case "c":
|
||||
case "u":
|
||||
if d.Major <= 0 {
|
||||
return false
|
||||
}
|
||||
if d.Minor <= 0 {
|
||||
case "b", "c", "u":
|
||||
if d.Major <= 0 || d.Minor <= 0 {
|
||||
return false
|
||||
}
|
||||
case "p":
|
||||
|
|
Loading…
Reference in a new issue