scripts: Drop most capabilities #1099
Conversation
Note this PR requires [bubblewrap 0.2.0](https://github.com/projectatomic/bubblewrap/releases/tag/v0.2.0). Change our bwrap invocations drop truly dangerous capabilities like `cap_sys_admin` and `cap_sys_module` just like Docker does today. Because of the popularity of Docker, we can be pretty sure that most RPM scripts should have adapted to this (although a problematic area here is that traditional librpm doesn't actually error out if scripts fail). There are two reasons to do this: - We want "offline" updates by default; updates shouldn't affect the running system. If we prepare the new root in the background, a %post shouldn't restart a service for example. We already "handle" this by making `systemctl` a symlink to `/bin/true`, but this approach also shuts off `%post`s that do e.g. `insmod`. - Protection against accidental system damage
|
Nice! I tested this with the usual suspects and it worked fine. Tests are failing though because they're not running with bubblewrap 0.2.0 yet. Maybe let's just add it to the list of rdgo pkgs we rsync in |
src/libpriv/rpmostree-bwrap.c
Outdated
| "--cap-add", "cap_setgid", | ||
| "--cap-add", "cap_setuid", | ||
| "--cap-add", "cap_setpcap", | ||
| "--cap-add", "cap_net_bind_service", |
There was a problem hiding this comment.
Yeah, we should. I originally was worried about apps which use TCP for local management...IIRC bind at least used to do this? But OTOH we already break this by using an isolated loop-only netns so...yeah, let's remove it.
|
Pushed a fixup ⬆️ |
|
Let's try to get away with just adding a hard dependency now? |
|
But CentOS is still on the old one, right? We can just hold this until it makes it there I guess. |
|
For RHEL we bundle bwrap in the rpm-ostree package, and for CAHC we already get it from git builds right? |
|
Although I get your point that we won't get this past |
|
We can switch to |
|
☀️ Test successful - status-atomicjenkins |
Note this PR requires bubblewrap 0.2.0.
Change our bwrap invocations drop truly dangerous capabilities like
cap_sys_adminandcap_sys_modulejust like Docker does today. Because of thepopularity of Docker, we can be pretty sure that most RPM scripts should have
adapted to this (although a problematic area here is that traditional librpm
doesn't actually error out if scripts fail).
There are two reasons to do this:
running system. If we prepare the new root in the background, a
%post shouldn't restart a service for example. We already "handle"
this by making
systemctla symlink to/bin/true, but this approachalso shuts off
%posts that do e.g.insmod.