Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Dockerfiles: run rpm --setcaps shadow-utils during build #256

Merged
merged 1 commit into from Sep 14, 2021

Conversation

nalind
Copy link
Member

@nalind nalind commented Jul 16, 2021

Our base images don't preserve file capabilities on /usr/bin/newuidmap and /usr/bin/newgidmap, but they do preserve setuid/setgid bits, which grant more privileges to callers, so go ahead and restore file capabilities during the build.

@rhatdan
Copy link
Contributor

rhatdan commented Jul 19, 2021

What exactly does rpm --setcaps do to shadow-utils? Does it add the filecaps back in?

@rhatdan
Copy link
Contributor

rhatdan commented Jul 19, 2021

Ubuntu man pages says:

       rpm --setcaps PACKAGE_NAME
              sets capabilities of files in the given package. Consider using --restore instead.

       rpm --restore PACKAGE_NAME
              The option restores owner, group, permissions and  capabilities  of  files  in  the
              given package.

@nalind
Copy link
Member Author

nalind commented Jul 19, 2021

What exactly does rpm --setcaps do to shadow-utils? Does it add the filecaps back in?

Yes, it resets the file capabilities on files from that package, particularly /usr/bin/newuidmap and /usr/bin/newgidmap. The base image (so far as I can tell) didn't preserve the security.capability attributes of its contents. The ownerships and DAC permissions appear to be preserved, including the setuid bit on binaries which should have them.

@nalind
Copy link
Member Author

nalind commented Jul 19, 2021

/retest

@nalind
Copy link
Member Author

nalind commented Jul 20, 2021

/test e2e-aws-cgroupsv2

1 similar comment
@nalind
Copy link
Member Author

nalind commented Jul 20, 2021

/test e2e-aws-cgroupsv2

@nalind
Copy link
Member Author

nalind commented Jul 21, 2021

/retest

1 similar comment
@nalind
Copy link
Member Author

nalind commented Jul 21, 2021

/retest

@adambkaplan
Copy link
Contributor

@nalind I believe we are still working on getting builds to pass with cgroupsv2. Do we explicitly need that to test this update?

@nalind
Copy link
Member Author

nalind commented Jul 22, 2021

No, whether or not the newuidmap and newgidmap binaries in the builder image have their security.capability xattr set correctly shouldn't affect the cgroupsv2 test's result, since that test is still going to be running the build container with privileges, and they're not invoked in that case. This is a guess at part of what's keeping #173openshift/openshift-controller-manager#173 from passing.

@nalind
Copy link
Member Author

nalind commented Aug 3, 2021

/retest

@nalind
Copy link
Member Author

nalind commented Aug 11, 2021

Given that we're not supposed to be blocking on the e2e-aws-cgroupsv2 test for this one, is there anything that I need to be changing about this patch?

@nalind
Copy link
Member Author

nalind commented Aug 19, 2021

/retest

1 similar comment
@rhatdan
Copy link
Contributor

rhatdan commented Aug 20, 2021

/retest

Our base images don't preserve file capabilities on /usr/bin/newuidmap
and /usr/bin/newgidmap, but they do preserve setuid/setgid bits, which
grant more privileges to callers, so go ahead and restore file
capabilities during the build.

Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
@rhatdan
Copy link
Contributor

rhatdan commented Aug 25, 2021

LGTM

@nalind
Copy link
Member Author

nalind commented Aug 25, 2021

/retest

@gabemontero
Copy link
Contributor

/assign @coreydaley

for approve

@gabemontero
Copy link
Contributor

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Aug 25, 2021
@coreydaley
Copy link
Member

@nalind So, should we be using --restore instead as the man page suggests? Or will that not give us what we want?

@rhatdan
Copy link
Contributor

rhatdan commented Aug 26, 2021

Both should work. --setcaps is more specific to the problem, since it is only fixing file caps.

@coreydaley
Copy link
Member

/approve

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Aug 26, 2021

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: coreydaley, gabemontero, nalind

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Aug 26, 2021
@adambkaplan
Copy link
Contributor

/label docs-approved

No user-facing docs are needed for this change

@openshift-ci openshift-ci bot added the docs-approved Signifies that Docs has signed off on this PR label Aug 26, 2021
@adambkaplan
Copy link
Contributor

/label px-approved

No impact on product experience

@adambkaplan
Copy link
Contributor

/cc @jitendar-singh

Do we risk this breaking our build in OSBS? Otherwise I think our existing regression/CI tests are sufficient here.

@openshift-ci openshift-ci bot added the px-approved Signifies that Product Support has signed off on this PR label Aug 26, 2021
@nalind
Copy link
Member Author

nalind commented Sep 8, 2021

Perhaps we can merge this, and revert it if it starts causing errors at image build time?

@coreydaley
Copy link
Member

Looks like it's just waiting on the qe-approved label.

@jitendar-singh
Copy link

/label qe-approved

@openshift-ci openshift-ci bot added the qe-approved Signifies that QE has signed off on this PR label Sep 14, 2021
@openshift-merge-robot openshift-merge-robot merged commit ee88833 into openshift:master Sep 14, 2021
@nalind nalind deleted the setcaps branch September 14, 2021 18:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. docs-approved Signifies that Docs has signed off on this PR lgtm Indicates that a PR is ready to be merged. px-approved Signifies that Product Support has signed off on this PR qe-approved Signifies that QE has signed off on this PR
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

7 participants