New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add a security test to verify capabilities #25295
Conversation
Is there a human readable diff for this? Would be better to print that if it exists so that someone who isn't familiar with the low level linux stuff can still triage. |
yeah, I will add a call to capsh --decode on both values, to get that |
This should pass after openshift/machine-config-operator#2051 gets in |
/retest |
1 similar comment
/retest |
/retest |
This will test the restricted scc is really restricted, including only 0x000000000000051b=cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_setpcap,cap_net_bind_service Signed-off-by: Yuval Kashtan <yuvalkashtan@gmail.com>
/test e2e-gcp, e2e-gcp-upgrade |
/test e2e-aws-fips, e2e-aws-serial |
/retest |
/test e2e-aws-fips |
/test e2e-cmd |
@smarterclayton @mrunalp this is ready to be merged, PTAL |
/test e2e-cmd |
3 similar comments
/test e2e-cmd |
/test e2e-cmd |
/test e2e-cmd |
/lgtm |
@smarterclayton @deads2k @mrunalp can we please get an approve here |
/approve |
[APPROVALNOTIFIER] This PR is APPROVED Approval requirements bypassed by manually added approval. This pull-request has been approved by: mrunalp, yuvalk The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
1 similar comment
[APPROVALNOTIFIER] This PR is APPROVED Approval requirements bypassed by manually added approval. This pull-request has been approved by: mrunalp, yuvalk The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/retest Please review the full test history for this PR and help us cut down flakes. |
2 similar comments
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
This will test the restricted scc is really restricted,
including only
0x000000000000051b=cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_setpcap,cap_net_bind_service
Signed-off-by: Yuval Kashtan yuvalkashtan@gmail.com