-
Notifications
You must be signed in to change notification settings - Fork 192
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
scripts: Drop most capabilities #1099
Conversation
Note this PR requires [bubblewrap 0.2.0](https://github.com/projectatomic/bubblewrap/releases/tag/v0.2.0). Change our bwrap invocations drop truly dangerous capabilities like `cap_sys_admin` and `cap_sys_module` just like Docker does today. Because of the popularity of Docker, we can be pretty sure that most RPM scripts should have adapted to this (although a problematic area here is that traditional librpm doesn't actually error out if scripts fail). There are two reasons to do this: - We want "offline" updates by default; updates shouldn't affect the running system. If we prepare the new root in the background, a %post shouldn't restart a service for example. We already "handle" this by making `systemctl` a symlink to `/bin/true`, but this approach also shuts off `%post`s that do e.g. `insmod`. - Protection against accidental system damage
Nice! I tested this with the usual suspects and it worked fine. Tests are failing though because they're not running with bubblewrap 0.2.0 yet. Maybe let's just add it to the list of rdgo pkgs we rsync in |
src/libpriv/rpmostree-bwrap.c
Outdated
"--cap-add", "cap_setgid", | ||
"--cap-add", "cap_setuid", | ||
"--cap-add", "cap_setpcap", | ||
"--cap-add", "cap_net_bind_service", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we drop this one too?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, we should. I originally was worried about apps which use TCP for local management...IIRC bind
at least used to do this? But OTOH we already break this by using an isolated loop-only netns so...yeah, let's remove it.
Pushed a fixup ⬆️ |
Let's try to get away with just adding a hard dependency now? |
But CentOS is still on the old one, right? We can just hold this until it makes it there I guess. |
For RHEL we bundle bwrap in the rpm-ostree package, and for CAHC we already get it from git builds right? |
Although I get your point that we won't get this past |
We can switch to |
☀️ Test successful - status-atomicjenkins |
Note this PR requires bubblewrap 0.2.0.
Change our bwrap invocations drop truly dangerous capabilities like
cap_sys_admin
andcap_sys_module
just like Docker does today. Because of thepopularity of Docker, we can be pretty sure that most RPM scripts should have
adapted to this (although a problematic area here is that traditional librpm
doesn't actually error out if scripts fail).
There are two reasons to do this:
running system. If we prepare the new root in the background, a
%post shouldn't restart a service for example. We already "handle"
this by making
systemctl
a symlink to/bin/true
, but this approachalso shuts off
%post
s that do e.g.insmod
.