From 3a423f3e4edb2c474c660dec49c29cabf6171d54 Mon Sep 17 00:00:00 2001 From: Victor Marmol Date: Wed, 14 May 2014 18:29:08 +0000 Subject: [PATCH] Change libcontainer to drop all capabilities by default. Only keeps those that were specified in the config. This commit also explicitly adds a set of capabilities that we were silently not dropping and were assumed by the tests. Docker-DCO-1.1-Signed-off-by: Victor Marmol (github: vmarmol) --- .../security/capabilities/capabilities.go | 38 ++++++++++--------- libcontainer/types.go | 5 +++ 2 files changed, 25 insertions(+), 18 deletions(-) diff --git a/libcontainer/security/capabilities/capabilities.go b/libcontainer/security/capabilities/capabilities.go index ad13e67..107417a 100644 --- a/libcontainer/security/capabilities/capabilities.go +++ b/libcontainer/security/capabilities/capabilities.go @@ -7,32 +7,34 @@ import ( "github.com/syndtr/gocapability/capability" ) -// DropCapabilities drops capabilities for the current process based -// on the container's configuration. -func DropCapabilities(container *libcontainer.Container) error { - if drop := getCapabilitiesMask(container); len(drop) > 0 { - c, err := capability.NewPid(os.Getpid()) - if err != nil { - return err - } - c.Unset(capability.CAPS|capability.BOUNDS, drop...) +const allCapabilityTypes = capability.CAPS | capability.BOUNDS - if err := c.Apply(capability.CAPS | capability.BOUNDS); err != nil { - return err - } +// DropCapabilities drops all capabilities for the current process expect those specified in the container configuration. +func DropCapabilities(container *libcontainer.Container) error { + c, err := capability.NewPid(os.Getpid()) + if err != nil { + return err + } + + keep := getEnabledCapabilities(container) + c.Clear(allCapabilityTypes) + c.Set(allCapabilityTypes, keep...) + + if err := c.Apply(allCapabilityTypes); err != nil { + return err } return nil } -// getCapabilitiesMask returns the specific cap mask values for the libcontainer types -func getCapabilitiesMask(container *libcontainer.Container) []capability.Cap { - drop := []capability.Cap{} +// getCapabilitiesMask returns the capabilities that should not be dropped by the container. +func getEnabledCapabilities(container *libcontainer.Container) []capability.Cap { + keep := []capability.Cap{} for key, enabled := range container.CapabilitiesMask { - if !enabled { + if enabled { if c := libcontainer.GetCapability(key); c != nil { - drop = append(drop, c.Value) + keep = append(keep, c.Value) } } } - return drop + return keep } diff --git a/libcontainer/types.go b/libcontainer/types.go index 8f056c8..4c8f60c 100644 --- a/libcontainer/types.go +++ b/libcontainer/types.go @@ -55,6 +55,11 @@ var ( {Key: "MAC_ADMIN", Value: capability.CAP_MAC_ADMIN}, {Key: "NET_ADMIN", Value: capability.CAP_NET_ADMIN}, {Key: "SYSLOG", Value: capability.CAP_SYSLOG}, + {Key: "SETUID", Value: capability.CAP_SETUID}, + {Key: "SETGID", Value: capability.CAP_SETGID}, + {Key: "CHOWN", Value: capability.CAP_CHOWN}, + {Key: "NET_RAW", Value: capability.CAP_NET_RAW}, + {Key: "DAC_OVERRIDE", Value: capability.CAP_DAC_OVERRIDE}, } )