Remove NET_RAW and SYS_CHROOT capabilities

as well as add net.ipv4.ping_group_range sysctl for tests

also grabbed some changes introduced by @Chenditang on github to
update the crio.conf man page

Increase the security of containers by removing the NET_RAW and CHROOT capabilties.

Suggest adding net.ipv4.ping_group_range so that ping will still work.

Updated-by: Peter Hunt <pehunt@redhat.com>
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>

Vagrantfile

@@ -12,7 +12,7 @@ Vagrant.configure("2") do |config|
 
   # Every Vagrant development environment requires a box. You can search for
   # boxes at https://atlas.hashicorp.com/search.
-  config.vm.box = "fedora/27-cloud-base"
+  config.vm.box = "fedora/30-cloud-base"
 
   # Disable automatic box update checking. If you disable this, then
   # boxes will only be checked for updates when the user runs

contrib/test/integration/system-packages.yml

@@ -86,3 +86,6 @@
 - name: Update all packages RHEL 8 and Fedora >= 30
   shell: sudo yum update -y
   when: supports_python3 is defined and supports_python3
+
+- name: Allow processes inside of containers to send ping
+  shell: sysctl -w net.ipv4.ping_group_range='0 2147483647'

docs/crio.8.md

@@ -28,7 +28,6 @@ crio
 [--ctr-stop-timeout]=[value]
 [--decryption-keys-path]=[value]
 [--default-capabilities]=[value]
-[--default-mounts-file]=[value]
 [--default-mounts]=[value]
 [--default-runtime]=[value]
 [--default-sysctls]=[value]
@@ -149,12 +148,10 @@ crio [GLOBAL OPTIONS] command [COMMAND OPTIONS] [ARGUMENTS...]
 
 **--decryption-keys-path**="": Path to load keys for image decryption. (default: /etc/crio/keys/)
 
-**--default-capabilities**="": Capabilities to add to the containers (default: ["CHOWN" "DAC_OVERRIDE" "FSETID" "FOWNER" "NET_RAW" "SETGID" "SETUID" "SETPCAP" "NET_BIND_SERVICE" "SYS_CHROOT" "KILL"])
+**--default-capabilities**="": Capabilities to add to the containers (default: ["CHOWN" "DAC_OVERRIDE" "FSETID" "FOWNER" "SETGID" "SETUID" "SETPCAP" "NET_BIND_SERVICE" "KILL"])
 
 **--default-mounts**="": Add one or more default mount paths in the form host:container (deprecated) (default: []) (default: [])
 
-**--default-mounts-file**="": Path to default mounts file (default: "")
-
 **--default-runtime**="": Default OCI runtime from the runtimes config (default: runc)
 
 **--default-sysctls**="": Sysctls to add to the containers (default: []) (default: [])

docs/crio.conf.5.md

@@ -80,12 +80,12 @@ The `crio.api` table contains settings for the kubelet/gRPC interface.
 ## CRIO.RUNTIME TABLE
 The `crio.runtime` table contains settings pertaining to the OCI runtime used and options for how to set up and manage the OCI runtime.
 
-**default_ulimits**=[]
-  A list of ulimits to be set in containers by default, specified as "<ulimit name>=<soft limit>:<hard limit>", for example:"nofile=1024:2048". If nothing is set here, settings will be inherited from the CRI-O daemon.
-
 **default_runtime**="runc"
   The _name_ of the OCI runtime to be used as the default.
 
+**default_ulimits**=[]
+  A list of ulimits to be set in containers by default, specified as "<ulimit name>=<soft limit>:<hard limit>", for example:"nofile=1024:2048". If nothing is set here, settings will be inherited from the CRI-O daemon.
+
 **no_pivot**=false
   If true, the runtime will not use `pivot_root`, but instead use `MS_MOVE`.
 
@@ -119,23 +119,28 @@ The `crio.runtime` table contains settings pertaining to the OCI runtime used an
   The default list is:
 ```
   default_capabilities = [
-          "CHOWN",
-          "DAC_OVERRIDE",
-          "FSETID",
-          "FOWNER",
-          "NET_RAW",
-          "SETGID",
-          "SETUID",
-          "SETPCAP",
-          "NET_BIND_SERVICE",
-          "SYS_CHROOT",
-          "KILL",
+	  "CHOWN",
+	  "DAC_OVERRIDE",
+	  "FSETID",
+	  "FOWNER",
+	  "SETGID",
+	  "SETUID",
+	  "SETPCAP",
+	  "NET_BIND_SERVICE",
+	  "KILL",
   ]
 ```
 
 **default_sysctls**=[]
  List of default sysctls. If it is empty or commented out, only the sysctls defined in the container json file by the user/kube will be added.
 
+  One example would be allowing ping inside of containers.  On systems that support `/proc/sys/net/ipv4/ping_group_range`, the default list could be:
+```
+  default_sysctls = [
+       "net.ipv4.ping_group_range" = "0   2147483647",
+  ]
+```
+
 **additional_devices**=[]
   List of additional devices. Specified as "<device-on-host>:<device-on-container>:<permissions>", for example: "--additional-devices=/dev/sdc:/dev/xvdc:rwm". If it is empty or commented out, only the devices defined in the container json file by the user/kube will be added.
 
@@ -158,6 +163,11 @@ The `crio.runtime` table contains settings pertaining to the OCI runtime used an
 
     2) `/usr/share/containers/mounts.conf`: This is the default file read for mounts. If you want CRI-O to read from a different, specific mounts file, you can change the default_mounts_file. Note, if this is done, CRI-O will only add mounts it finds in this file.
 
+**bind_mount_prefix**="prefix"
+  A prefix to use for the source of the bind mounts.
+
+  One potential use for this option would be running CRI-O in a container, and mounting / on the host as /host in the container.  CRI-O could then be ran with --bind-mount-prefix=/host, and CRI-O would add /host to any bind mounts it hands over the CRI, thus specifying the correct directory on the host.
+
 **pids_limit**=1024
   Maximum number of processes allowed in a container.
 
@@ -212,6 +222,12 @@ The "crio.runtime.runtimes" table defines a list of OCI compatible runtimes.  Th
 **runtime_path**=""
   Path to the OCI compatible runtime used for this runtime handler.
 
+**runtime_root**=""
+  Root directory used to store runtime data
+
+**runtime_type**="oci"
+  Type of the runtime used for this runtime handler. "oci", "vm"
+
 ## CRIO.IMAGE TABLE
 The `crio.image` table contains settings pertaining to the management of OCI images.
 

internal/criocli/criocli.go

@@ -576,6 +576,7 @@ func getCrioFlags(defConf *libconfig.Config) []cli.Flag {
 			Usage:     fmt.Sprintf("Path to default mounts file (default: %q)", defConf.DefaultMountsFile),
 			EnvVars:   []string{"CONTAINER_DEFAULT_MOUNTS_FILE"},
 			TakesFile: true,
+			Hidden:    true,
 		},
 		&cli.StringFlag{
 			Name:    "default-capabilities",

pkg/config/config.go

@@ -107,12 +107,10 @@ var DefaultCapabilities = []string{
 	"DAC_OVERRIDE",
 	"FSETID",
 	"FOWNER",
-	"NET_RAW",
 	"SETGID",
 	"SETUID",
 	"SETPCAP",
 	"NET_BIND_SERVICE",
-	"SYS_CHROOT",
 	"KILL",
 }
 

test/ctr.bats

@@ -1076,7 +1076,7 @@ function teardown() {
 	run crictl exec --sync $ctr_id grep Cap /proc/1/status
 	echo "$output"
 	[ "$status" -eq 0 ]
-	[[ "$output" =~ 00000000002425fb ]]
+	[[ "$output" =~ 00000000002005fb ]]
 
 	run crictl stopp "$pod_id"
 	echo "$output"

test/helpers.bash

@@ -162,19 +162,17 @@ function setup_test() {
     CONTAINER_EXITS_DIR=$TESTDIR/containers/exits
     CONTAINER_ATTACH_SOCKET_DIR=$TESTDIR/containers
 
-    # Setup default mounts using deprecated --default-mounts flag
-    # should be removed, once the flag is removed
     MOUNT_PATH="$TESTDIR/secrets"
     mkdir ${MOUNT_PATH}
     MOUNT_FILE="${MOUNT_PATH}/test.txt"
     touch ${MOUNT_FILE}
     echo "Testing secrets mounts!" >${MOUNT_FILE}
-    DEFAULT_MOUNTS_OPTS="--default-mounts=${MOUNT_PATH}:/container/path1"
 
     # Setup default secrets mounts
     mkdir $TESTDIR/containers
     touch $TESTDIR/containers/mounts.conf
     echo "$TESTDIR/rhel/secrets:/run/secrets" >$TESTDIR/containers/mounts.conf
+    echo "${MOUNT_PATH}:/container/path1" >>$TESTDIR/containers/mounts.conf
     mkdir -p $TESTDIR/rhel/secrets
     touch $TESTDIR/rhel/secrets/test.txt
     echo "Testing secrets mounts. I am mounted!" >$TESTDIR/rhel/secrets/test.txt

tutorials/setup.md

@@ -374,12 +374,10 @@ default_capabilities = [
 	"DAC_OVERRIDE",
 	"FSETID",
 	"FOWNER",
-	"NET_RAW",
 	"SETGID",
 	"SETUID",
 	"SETPCAP",
 	"NET_BIND_SERVICE",
-	"SYS_CHROOT",
 	"KILL",
 ]
 ```