Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Seccomp: Tighten container capability checks a bit to align with kernel behaviour #13458

Merged
merged 2 commits into from
Jun 4, 2024
Merged

Seccomp: Tighten container capability checks a bit to align with kernel behaviour #13458

merged 2 commits into from
Jun 4, 2024

Conversation

mihalicyn
Copy link
Member

Let's tighten capability checks in mknod interception code to align this with what we have in the kernel. So, if mknod interception is enabled then only user with CAP_MKNOD in the container's initial user namespace can use it.

@mihalicyn mihalicyn requested a review from tomponline as a code owner May 8, 2024 12:54
@mihalicyn mihalicyn requested a review from simondeziel May 8, 2024 12:54
@mihalicyn mihalicyn force-pushed the additional_cap_checks branch 2 times, most recently from 6bf62b7 to 837d73d Compare May 8, 2024 13:10
simondeziel
simondeziel previously approved these changes May 8, 2024
View reviewed changes
Copy link
Member

@simondeziel simondeziel left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Am I right that this essentially boils down to s/CAP_SYS_MODULE/CAP_MKNOD/?
Feels like the right capability to check for, thanks! LGTM

tomponline
tomponline reviewed May 8, 2024
View reviewed changes
lxd/seccomp/seccomp.go Outdated Show resolved Hide resolved
tomponline
tomponline reviewed May 8, 2024
View reviewed changes
lxd/seccomp/seccomp.go Outdated Show resolved Hide resolved
tomponline
tomponline reviewed May 8, 2024
View reviewed changes
lxd/seccomp/seccomp.go Outdated Show resolved Hide resolved
tomponline
tomponline reviewed May 8, 2024
View reviewed changes
lxd/seccomp/seccomp.go Outdated Show resolved Hide resolved
tomponline
tomponline reviewed May 8, 2024
View reviewed changes
lxd/seccomp/seccomp.go Outdated Show resolved Hide resolved
tomponline
tomponline reviewed May 8, 2024
View reviewed changes
lxd/seccomp/seccomp.go Outdated Show resolved Hide resolved
@tomponline tomponline changed the title lxd/seccomp/seccomp: tighten capability checks a bit Seccomp: Tighten container capability checks a bit to align with kernel behaviour May 8, 2024
@tomponline
Copy link
Member

Thanks @mihalicyn !

@mihalicyn
lxd/seccomp/seccomp: tighten capability checks a bit
67b16ca 
Let's tighten capability checks in mknod interception code
to align this with what we have in the kernel. So,
if mknod interception is enabled then only user with
CAP_MKNOD in the container's initial user namespace can use it.

Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>
@mihalicyn
lxd/seccomp: fix a bunch of linter errors
b7dc46b 
Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>
tomponline
tomponline approved these changes Jun 4, 2024
View reviewed changes
Copy link
Member

@tomponline tomponline left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@tomponline tomponline merged commit e53ed30 into canonical:main Jun 4, 2024
29 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tomponline tomponline tomponline approved these changes

@simondeziel simondeziel Awaiting requested review from simondeziel

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@mihalicyn @tomponline @simondeziel