Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add a security test to verify capabilities #25295

Merged
merged 1 commit into from Oct 15, 2020
Merged

add a security test to verify capabilities #25295

merged 1 commit into from Oct 15, 2020

Conversation

yuvalk
Copy link
Contributor

@yuvalk yuvalk commented Jul 19, 2020

This will test the restricted scc is really restricted,
including only
0x000000000000051b=cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_setpcap,cap_net_bind_service

Signed-off-by: Yuval Kashtan yuvalkashtan@gmail.com

@smarterclayton
Copy link
Contributor

Is there a human readable diff for this? Would be better to print that if it exists so that someone who isn't familiar with the low level linux stuff can still triage.

@yuvalk
Copy link
Contributor Author

yuvalk commented Jul 20, 2020

Is there a human readable diff for this? Would be better to print that if it exists so that someone who isn't familiar with the low level linux stuff can still triage.

yeah,
good idea,
you mean beside what I provided in the commit msg I guess

I will add a call to capsh --decode on both values, to get that

@openshift-ci-robot openshift-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jul 23, 2020
@openshift-ci-robot openshift-ci-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jul 24, 2020
@umohnani8
Copy link
Contributor

This should pass after openshift/machine-config-operator#2051 gets in

@yuvalk
Copy link
Contributor Author

yuvalk commented Sep 22, 2020

/retest

1 similar comment
@yuvalk
Copy link
Contributor Author

yuvalk commented Sep 23, 2020

/retest

@yuvalk
Copy link
Contributor Author

yuvalk commented Sep 24, 2020

/retest

@yuvalk
add a security test to verify capabilities
59f91fe 
This will test the restricted scc is really restricted,
including only
0x000000000000051b=cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_setpcap,cap_net_bind_service

Signed-off-by: Yuval Kashtan <yuvalkashtan@gmail.com>
@yuvalk
Copy link
Contributor Author

yuvalk commented Sep 28, 2020

/test e2e-gcp, e2e-gcp-upgrade

@yuvalk
Copy link
Contributor Author

yuvalk commented Sep 29, 2020

/test e2e-aws-fips, e2e-aws-serial

@umohnani8
Copy link
Contributor

/retest

@yuvalk
Copy link
Contributor Author

yuvalk commented Sep 29, 2020

/test e2e-aws-fips

@yuvalk
Copy link
Contributor Author

yuvalk commented Sep 29, 2020

/test e2e-cmd

@umohnani8
Copy link
Contributor

@smarterclayton @mrunalp this is ready to be merged, PTAL

@umohnani8
Copy link
Contributor

/test e2e-cmd

3 similar comments
@yuvalk
Copy link
Contributor Author

yuvalk commented Oct 1, 2020

/test e2e-cmd

@umohnani8
Copy link
Contributor

/test e2e-cmd

@umohnani8
Copy link
Contributor

/test e2e-cmd

@mrunalp
Copy link
Member

mrunalp commented Oct 2, 2020

/lgtm

@openshift-ci-robot openshift-ci-robot added the lgtm Indicates that a PR is ready to be merged. label Oct 2, 2020
@umohnani8
Copy link
Contributor

@smarterclayton @deads2k @mrunalp can we please get an approve here

@mrunalp
Copy link
Member

mrunalp commented Oct 14, 2020

/approve

@mrunalp mrunalp added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Oct 14, 2020
@openshift-ci-robot
Copy link

[APPROVALNOTIFIER] This PR is APPROVED

Approval requirements bypassed by manually added approval.

This pull-request has been approved by: mrunalp, yuvalk

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

1 similar comment
@openshift-ci-robot
Copy link

[APPROVALNOTIFIER] This PR is APPROVED

Approval requirements bypassed by manually added approval.

This pull-request has been approved by: mrunalp, yuvalk

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-bot
Copy link
Contributor

/retest

Please review the full test history for this PR and help us cut down flakes.

2 similar comments
@openshift-bot
Copy link
Contributor

/retest

Please review the full test history for this PR and help us cut down flakes.

@openshift-bot
Copy link
Contributor

/retest

Please review the full test history for this PR and help us cut down flakes.

@openshift-merge-robot openshift-merge-robot merged commit 6c53f20 into openshift:master Oct 15, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@deads2k deads2k Awaiting requested review from deads2k

@smarterclayton smarterclayton Awaiting requested review from smarterclayton

Assignees

@mrunalp mrunalp

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
7 participants
@yuvalk @smarterclayton @umohnani8 @mrunalp @openshift-ci-robot @openshift-bot @openshift-merge-robot