[24.0 backport] Do not drop effective&permitted set #46221
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Currently moby drops ep sets before the entrypoint is executed. This does mean that with combination of no-new-privileges the file capabilities stops working with non-root containers. This is undesired as the usability of such containers is harmed comparing to running root containers. This commit therefore sets the effective/permitted set in order to allow use of file capabilities or libcap(3)/prctl(2) respectively with combination of no-new-privileges and without respectively. For no-new-privileges the container will be able to obtain capabilities that are requested. Signed-off-by: Luboslav Pivarc <lpivarc@redhat.com> Signed-off-by: Bjorn Neergaard <bjorn.neergaard@docker.com> (cherry picked from commit 3aef732) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Verify non-root containers are able to use file capabilities. Signed-off-by: Luboslav Pivarc <lpivarc@redhat.com> Co-authored-by: Cory Snider <csnider@mirantis.com> Signed-off-by: Cory Snider <csnider@mirantis.com> (cherry picked from commit 42fa7a1) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
thaJeztah
added
area/runtime
status/2-code-review
impact/changelog
kind/bugfix
thaJeztah
changed the title
neersighted
approved these changes
Aug 15, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
--security-opt=no-new-privileges#45491- What I did
Currently moby drops ep sets before the entrypoint is executed. This does mean that with combination of no-new-privileges the file capabilities stops working with non-root containers. This is undesired as the usability of such containers is harmed comparing to running root containers.
This commit therefore sets the effective/permitted set in order to allow use of file capabilities or libcap(3)/prctl(2) respectively with combination of no-new-privileges and without respectively.
For no-new-privileges the container will be able to obtain capabilities that are requested.
- How I did it
- How to verify it
Use the below as Dockerfile
docker run --security-opt=no-new-privileges --user=100 --cap-add sys_admin <tag of the build Dockerfile> capsh --printYou should see
Current: = cap_sys_admin+eprather thanCurrent:- Description for the changelog
- A picture of a cute animal (not mandatory but encouraged)