Merge pull request #5467 from QiWang19/drop-cap

[release-1.19] Add support to drop ALL and add back few capabilities
cri-o · Feb 24, 2022 · 191f731 · 191f731
2 parents 74187ba + 1e72afd
commit 191f731
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 13 deletions.
diff --git a/server/container_create.go b/server/container_create.go
@@ -12,6 +12,7 @@ import (
 	"github.com/containers/storage/pkg/idtools"
 	"github.com/containers/storage/pkg/mount"
 	"github.com/containers/storage/pkg/stringid"
+	"github.com/cri-o/cri-o/internal/config/capabilities"
 	"github.com/cri-o/cri-o/internal/lib/sandbox"
 	"github.com/cri-o/cri-o/internal/log"
 	"github.com/cri-o/cri-o/internal/storage"
@@ -335,13 +336,13 @@ func generateUserString(username, imageUser string, uid *pb.Int64Value) string {
 }
 
 // setupCapabilities sets process.capabilities in the OCI runtime config.
-func setupCapabilities(specgen *generate.Generator, capabilities *pb.Capability) error {
+func setupCapabilities(specgen *generate.Generator, caps *pb.Capability, defaultCaps capabilities.Capabilities) error {
 	// Remove all ambient capabilities. Kubernetes is not yet ambient capabilities aware
 	// and pods expect that switching to a non-root user results in the capabilities being
 	// dropped. This should be revisited in the future.
 	specgen.Config.Process.Capabilities.Ambient = []string{}
 
-	if capabilities == nil {
+	if caps == nil {
 		return nil
 	}
 
@@ -352,12 +353,24 @@ func setupCapabilities(specgen *generate.Generator, capabilities *pb.Capability)
 		return cap
 	}
 
+	addAll := inStringSlice(caps.AddCapabilities, "ALL")
+	dropAll := inStringSlice(caps.DropCapabilities, "ALL")
+
+	// Only add the default capabilities to the AddCapabilities list
+	// if neither add or drop are set to "ALL". If add is set to "ALL" it
+	// is a super set of the default capabilties. If drop is set to "ALL"
+	// then we first want to clear the entire list (including defaults)
+	// so the user may selectively add *only* the capabilities they need.
+	if !(addAll || dropAll) {
+		caps.AddCapabilities = append(caps.AddCapabilities, defaultCaps...)
+	}
+
 	// Add/drop all capabilities if "all" is specified, so that
 	// following individual add/drop could still work. E.g.
 	// AddCapabilities: []string{"ALL"}, DropCapabilities: []string{"CHOWN"}
 	// will be all capabilities without `CAP_CHOWN`.
 	// see https://github.com/kubernetes/kubernetes/issues/51980
-	if inStringSlice(capabilities.GetAddCapabilities(), "ALL") {
+	if addAll {
 		for _, c := range getOCICapabilitiesList() {
 			if err := specgen.AddProcessCapabilityBounding(c); err != nil {
 				return err
@@ -373,7 +386,7 @@ func setupCapabilities(specgen *generate.Generator, capabilities *pb.Capability)
 			}
 		}
 	}
-	if inStringSlice(capabilities.GetDropCapabilities(), "ALL") {
+	if dropAll {
 		for _, c := range getOCICapabilitiesList() {
 			if err := specgen.DropProcessCapabilityBounding(c); err != nil {
 				return err
@@ -390,7 +403,7 @@ func setupCapabilities(specgen *generate.Generator, capabilities *pb.Capability)
 		}
 	}
 
-	for _, cap := range capabilities.GetAddCapabilities() {
+	for _, cap := range caps.AddCapabilities {
 		if strings.EqualFold(cap, "ALL") {
 			continue
 		}
@@ -413,7 +426,7 @@ func setupCapabilities(specgen *generate.Generator, capabilities *pb.Capability)
 		}
 	}
 
-	for _, cap := range capabilities.GetDropCapabilities() {
+	for _, cap := range caps.DropCapabilities {
 		if strings.EqualFold(cap, "ALL") {
 			continue
 		}

diff --git a/server/container_create_linux.go b/server/container_create_linux.go
@@ -1,3 +1,4 @@
+//go:build linux
 // +build linux
 
 package server
@@ -466,8 +467,7 @@ func (s *Server) createSandboxContainer(ctx context.Context, ctr ctrIface.Contai
 			}
 			// Clear default capabilities from spec
 			specgen.ClearProcessCapabilities()
-			capabilities.AddCapabilities = append(capabilities.AddCapabilities, s.config.DefaultCapabilities...)
-			err = setupCapabilities(&specgen, capabilities)
+			err = setupCapabilities(&specgen, capabilities, s.config.DefaultCapabilities)
 			if err != nil {
 				return nil, err
 			}

diff --git a/server/sandbox_run_linux.go b/server/sandbox_run_linux.go
@@ -1,3 +1,4 @@
+//go:build linux
 // +build linux
 
 package server
@@ -231,11 +232,8 @@ func (s *Server) runPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest
 
 	// Add capabilities from crio.conf if default_capabilities is defined
 	capabilities := &pb.Capability{}
-	if s.config.DefaultCapabilities != nil {
-		g.ClearProcessCapabilities()
-		capabilities.AddCapabilities = append(capabilities.AddCapabilities, s.config.DefaultCapabilities...)
-	}
-	if err := setupCapabilities(&g, capabilities); err != nil {
+	g.ClearProcessCapabilities()
+	if err := setupCapabilities(&g, capabilities, s.config.DefaultCapabilities); err != nil {
 		return nil, err
 	}