-
Notifications
You must be signed in to change notification settings - Fork 18.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Process capabilities cannot be retained when starting a container as non-root with --security-opt=no-new-privileges
#45491
Comments
Those changes were part of docker 20.10.14; https://docs.docker.com/engine/release-notes/20.10/#201014 to address CVE-2022-24769 /cc @samuelkarp |
Sorry, I was wrong. That commit only refactored the existing code with the effective and permitted caps drop. I think the real commit is this one 349aeea // if non root drop capabilities in the way execve does
if s.Process.User.UID != 0 {
s.Process.Capabilities.Effective = []string{}
s.Process.Capabilities.Permitted = []string{}
}
Looks pretty old... |
What version of Kubernetes or cri-dockerd are you using? I don't think they're in the loop here, but a full context is helpful. |
I was able to reproduce the problem on minikube with Kubernetes
|
Forgot to mention that the binary has the capabilities set:
|
Clearing out the effective and permitted capability sets for non-root users was introduced in #36587. #36587 (comment) notes that the Notably, there was work to change cri-containerd to implement the same capability-set-clearing behaviour as moby with lots of agreement that it should happen (though it hasn't quite happened yet) which disproves the claim that moby's behaviour is wrong and the other projects are correct. |
Hi @corhere, thank you for the clarification. This now makes more sense to me.
So apparently we now have different behavior in k8s depending on the container runtime. |
Hi @corhere , @justincormack Can you help me understand the reasoning behind this? I think docker should keep the capabilities requested by the user. |
The man pages document the behaviour of the
If a process with nonzero UIDs and the The actual semantics of
(Emphasis mine.) File capabilities are taken into consideration when Moby is in the wrong here. It doesn't need to emulate |
--security-opt=no-new-privileges
Description
When using docker as a runtime in kubernetes, the capabilities specified in the container's security context (in the pod yaml manifests) are not respected if running as non-root user:
In KubeVirt project we had several similar issues reported: kubevirt/kubevirt#9465
This can be easily reproduced with minikube. Other runtimes (containerd and crio) handle the capabilities correctly:
I briefly looked at the sources. Though I am not 100% confident that this snippet is actually causing the problem, but the bellow code looked suspicious to me:
moby/oci/oci.go
Lines 31 to 35 in c651a53
It was introduced by this commit 349aeea (and refactored in 0d9a37d).
Reproduce
Expected behavior
Effective/permitted caps should be set correctly:
docker version
docker info
Additional Info
This can also be reproduced without KubeVirt:
The text was updated successfully, but these errors were encountered: