Compare commits
No commits in common. "c8-stream-1.0" and "c8s-stream-rhel8" have entirely different histories.
c8-stream-
...
c8s-stream
7
.gitignore
vendored
7
.gitignore
vendored
@ -1,2 +1,5 @@
|
|||||||
SOURCES/cri-o-9b1f0a0.tar.gz
|
SOURCES/dnsname-18822f9.tar.gz
|
||||||
SOURCES/libpod-921f98f.tar.gz
|
SOURCES/gvisor-tap-vsock-fdc231ae7b8fe1aec4cf0b8777274fa21b70d789.tar.gz
|
||||||
|
SOURCES/podman-machine-cni-0749884.tar.gz
|
||||||
|
SOURCES/v0.1.7.tar.gz
|
||||||
|
SOURCES/v4.3.1-rhel-d9a6336.tar.gz
|
||||||
|
@ -1,2 +1,5 @@
|
|||||||
b53ff7dd655dec8ddab85b7782a2d41e6bdcb301 SOURCES/cri-o-9b1f0a0.tar.gz
|
00c35447384f51ccc2360965b80868fc91293711 SOURCES/dnsname-18822f9.tar.gz
|
||||||
14fa9349a6277355aa6a4f079a131059d194fd99 SOURCES/libpod-921f98f.tar.gz
|
4f46b03a20ca141f7ea10800282c0ba5aff9dcc2 SOURCES/gvisor-tap-vsock-fdc231ae7b8fe1aec4cf0b8777274fa21b70d789.tar.gz
|
||||||
|
70b08b173bdf0d1325fce035c186b43085865587 SOURCES/podman-machine-cni-0749884.tar.gz
|
||||||
|
94419a237f932ff2a79c91f6e3005034d9c367a5 SOURCES/v0.1.7.tar.gz
|
||||||
|
a2d1be2cdd5b118a046273fb9b298ca110bdd62c SOURCES/v4.3.1-rhel-d9a6336.tar.gz
|
||||||
|
@ -1,31 +0,0 @@
|
|||||||
From fbc96cdd1741021f3d18e49eac3757297aaba851 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Matthew Heon <mheon@redhat.com>
|
|
||||||
Date: Fri, 19 Feb 2021 11:34:39 -0500
|
|
||||||
Subject: [PATCH] Only drop all caps in exec when non-root
|
|
||||||
|
|
||||||
We were dropping too many capabilities otherwise, which broke
|
|
||||||
some critical system tools (e.g. useradd) in exec sessions.
|
|
||||||
|
|
||||||
Fix RHBZ#1930552
|
|
||||||
|
|
||||||
Signed-off-by: Matthew Heon <mheon@redhat.com>
|
|
||||||
---
|
|
||||||
libpod/oci_conmon_linux.go | 2 +-
|
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/libpod/oci_conmon_linux.go b/libpod/oci_conmon_linux.go
|
|
||||||
index d5973a1a6..18ede031e 100644
|
|
||||||
--- a/libpod/oci.go
|
|
||||||
+++ b/libpod/oci.go
|
|
||||||
@@ -1107,7 +1107,7 @@ func prepareProcessExec(c *Container, cmd, env []string, tty bool, cwd, user, se
|
|
||||||
pspec.Capabilities.Effective = []string{}
|
|
||||||
if privileged {
|
|
||||||
pspec.Capabilities.Bounding = allCaps
|
|
||||||
- } else {
|
|
||||||
+ } else if execUser.Uid != 0 {
|
|
||||||
pspec.Capabilities.Bounding = []string{}
|
|
||||||
}
|
|
||||||
pspec.Capabilities.Inheritable = pspec.Capabilities.Bounding
|
|
||||||
--
|
|
||||||
2.29.2
|
|
||||||
|
|
@ -1,23 +0,0 @@
|
|||||||
From bc5be3ca10cd4c147955fadd2586b5dd8ad0eeea Mon Sep 17 00:00:00 2001
|
|
||||||
From: Matthew Heon <mheon@redhat.com>
|
|
||||||
Date: Thu, 24 Sep 2020 10:42:13 -0400
|
|
||||||
Subject: [PATCH] Fix https://bugzilla.redhat.com/show_bug.cgi?id=1882267
|
|
||||||
|
|
||||||
Signed-off-by: Matthew Heon <mheon@redhat.com>
|
|
||||||
---
|
|
||||||
cmd/podman/sigproxy.go | 2 +-
|
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/cmd/podman/sigproxy.go b/cmd/podman/sigproxy.go
|
|
||||||
index 16861bad04..92d7f4e4a9 100644
|
|
||||||
--- a/cmd/podman/sigproxy.go
|
|
||||||
+++ b/cmd/podman/sigproxy.go
|
|
||||||
@@ -19,7 +19,7 @@ func ProxySignals(ctr *libpod.Container) {
|
|
||||||
for s := range sigBuffer {
|
|
||||||
// Ignore SIGCHLD and SIGPIPE - these are mostly likely
|
|
||||||
// intended for the podman command itself.
|
|
||||||
- if s == signal.SIGCHLD || s == signal.SIGPIPE {
|
|
||||||
+ if s == syscall.SIGCHLD || s == syscall.SIGPIPE || s == syscall.SIGURG {
|
|
||||||
continue
|
|
||||||
}
|
|
||||||
|
|
@ -1,48 +0,0 @@
|
|||||||
From 840e7dad513b86f454573ad415701c0199f78d30 Mon Sep 17 00:00:00 2001
|
|
||||||
From: TomSweeneyRedHat <tsweeney@redhat.com>
|
|
||||||
Date: Tue, 24 Mar 2020 20:10:22 -0400
|
|
||||||
Subject: [PATCH] Fix potential CVE in tarfile w/ symlink
|
|
||||||
|
|
||||||
Stealing @nalind 's workaround to avoid refetching
|
|
||||||
content after a file read failure. Under the right
|
|
||||||
circumstances that could be a symlink to a file meant
|
|
||||||
to overwrite a good file with bad data.
|
|
||||||
|
|
||||||
Testing:
|
|
||||||
```
|
|
||||||
goodstuff
|
|
||||||
|
|
||||||
[1] 14901
|
|
||||||
|
|
||||||
127.0.0.1 - - [24/Mar/2020 20:15:50] "GET / HTTP/1.1" 200 -
|
|
||||||
127.0.0.1 - - [24/Mar/2020 20:15:50] "GET / HTTP/1.1" 200 -
|
|
||||||
no FROM statement found
|
|
||||||
|
|
||||||
goodstuff
|
|
||||||
```
|
|
||||||
|
|
||||||
Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
|
|
||||||
---
|
|
||||||
imagebuildah/util.go | 5 +++--
|
|
||||||
1 file changed, 3 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff -up a/imagebuildah/util.go.CVE-2020-10696 b/imagebuildah/util.go
|
|
||||||
--- a/vendor/github.com/containers//buildah/imagebuildah/util.go.CVE-2020-10696
|
|
||||||
+++ b/vendor/github.com/containers//buildah/imagebuildah/util.go
|
|
||||||
@@ -12,6 +12,7 @@ import (
|
|
||||||
|
|
||||||
"github.com/containers/buildah"
|
|
||||||
"github.com/containers/storage/pkg/chrootarchive"
|
|
||||||
+ "github.com/containers/storage/pkg/ioutils"
|
|
||||||
"github.com/pkg/errors"
|
|
||||||
"github.com/sirupsen/logrus"
|
|
||||||
)
|
|
||||||
@@ -47,7 +48,7 @@ func downloadToDirectory(url, dir string
|
|
||||||
}
|
|
||||||
dockerfile := filepath.Join(dir, "Dockerfile")
|
|
||||||
// Assume this is a Dockerfile
|
|
||||||
- if err := ioutil.WriteFile(dockerfile, body, 0600); err != nil {
|
|
||||||
+ if err := ioutils.AtomicWriteFile(dockerfile, body, 0600); err != nil {
|
|
||||||
return errors.Wrapf(err, "Failed to write %q to %q", url, dockerfile)
|
|
||||||
}
|
|
||||||
}
|
|
@ -1,319 +0,0 @@
|
|||||||
From 69daa67c436a8fdeb0149aa5cb0112f03fdb699f Mon Sep 17 00:00:00 2001
|
|
||||||
From: Matthew Heon <mheon@redhat.com>
|
|
||||||
Date: Mon, 25 Jan 2021 14:18:07 -0500
|
|
||||||
Subject: [PATCH] Correct handling of capabilities
|
|
||||||
|
|
||||||
Ensure that capabilities are properly handled for non-root users
|
|
||||||
in privileged containers. We do not want to give full caps, but
|
|
||||||
instead only CapInh and CapEff (others should be all-zeroes).
|
|
||||||
|
|
||||||
Fixing `podman run` is easy - the same code as the Podman 1.6 fix
|
|
||||||
works there. The `podman exec` command is far more challenging.
|
|
||||||
Exec received a complete rewrite to use Conmon at some point
|
|
||||||
before Podman 1.6, and gained many capabilities in the process.
|
|
||||||
One of those was the ability to actually tweak the capabilities
|
|
||||||
of the exec process - 1.0 did not have that. Since it was needed
|
|
||||||
to resolve this CVE, I was forced to backport a large bit of the
|
|
||||||
1.0 -> 1.6 exec changes (passing a Process block to the OCI
|
|
||||||
runtime, and using `prepareProcessExec()` to prepare said block).
|
|
||||||
I am honestly uncomfortable with the size and scope of this
|
|
||||||
change but I don't see another way around this.
|
|
||||||
|
|
||||||
Fixes CVE-2021-20188
|
|
||||||
|
|
||||||
Signed-off-by: Matthew Heon <mheon@redhat.com>
|
|
||||||
---
|
|
||||||
libpod/container_api.go | 24 +------
|
|
||||||
libpod/oci.go | 148 ++++++++++++++++++++++++++++++++--------
|
|
||||||
pkg/spec/spec.go | 8 +++
|
|
||||||
3 files changed, 132 insertions(+), 48 deletions(-)
|
|
||||||
|
|
||||||
diff -up libpod-921f98f8795eb9fcb19ce581020cfdeff6dee09f/libpod/container_api.go.orig libpod-921f98f8795eb9fcb19ce581020cfdeff6dee09f/libpod/container_api.go
|
|
||||||
--- libpod-921f98f8795eb9fcb19ce581020cfdeff6dee09f/libpod/container_api.go.orig 2019-02-11 16:26:46.000000000 +0100
|
|
||||||
+++ libpod-921f98f8795eb9fcb19ce581020cfdeff6dee09f/libpod/container_api.go 2021-02-12 10:38:48.767172399 +0100
|
|
||||||
@@ -2,7 +2,6 @@ package libpod
|
|
||||||
|
|
||||||
import (
|
|
||||||
"context"
|
|
||||||
- "fmt"
|
|
||||||
"io/ioutil"
|
|
||||||
"os"
|
|
||||||
"strconv"
|
|
||||||
@@ -11,9 +10,7 @@ import (
|
|
||||||
|
|
||||||
"github.com/containers/libpod/libpod/driver"
|
|
||||||
"github.com/containers/libpod/pkg/inspect"
|
|
||||||
- "github.com/containers/libpod/pkg/lookup"
|
|
||||||
"github.com/containers/storage/pkg/stringid"
|
|
||||||
- "github.com/docker/docker/daemon/caps"
|
|
||||||
"github.com/pkg/errors"
|
|
||||||
"github.com/sirupsen/logrus"
|
|
||||||
"k8s.io/apimachinery/pkg/util/wait"
|
|
||||||
@@ -263,8 +260,6 @@ func (c *Container) Kill(signal uint) er
|
|
||||||
// TODO allow specifying streams to attach to
|
|
||||||
// TODO investigate allowing exec without attaching
|
|
||||||
func (c *Container) Exec(tty, privileged bool, env, cmd []string, user, workDir string) error {
|
|
||||||
- var capList []string
|
|
||||||
-
|
|
||||||
locked := false
|
|
||||||
if !c.batched {
|
|
||||||
locked = true
|
|
||||||
@@ -287,22 +282,8 @@ func (c *Container) Exec(tty, privileged
|
|
||||||
if conState != ContainerStateRunning {
|
|
||||||
return errors.Errorf("cannot exec into container that is not running")
|
|
||||||
}
|
|
||||||
- if privileged || c.config.Privileged {
|
|
||||||
- capList = caps.GetAllCapabilities()
|
|
||||||
- }
|
|
||||||
|
|
||||||
- // If user was set, look it up in the container to get a UID to use on
|
|
||||||
- // the host
|
|
||||||
- hostUser := ""
|
|
||||||
- if user != "" {
|
|
||||||
- execUser, err := lookup.GetUserGroupInfo(c.state.Mountpoint, user, nil)
|
|
||||||
- if err != nil {
|
|
||||||
- return err
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- // runc expects user formatted as uid:gid
|
|
||||||
- hostUser = fmt.Sprintf("%d:%d", execUser.Uid, execUser.Gid)
|
|
||||||
- }
|
|
||||||
+ isPrivileged := privileged || c.config.Privileged
|
|
||||||
|
|
||||||
// Generate exec session ID
|
|
||||||
// Ensure we don't conflict with an existing session ID
|
|
||||||
@@ -324,10 +305,11 @@ func (c *Container) Exec(tty, privileged
|
|
||||||
|
|
||||||
logrus.Debugf("Creating new exec session in container %s with session id %s", c.ID(), sessionID)
|
|
||||||
|
|
||||||
- execCmd, err := c.runtime.ociRuntime.execContainer(c, cmd, capList, env, tty, workDir, hostUser, sessionID)
|
|
||||||
+ execCmd, processFile, err := c.runtime.ociRuntime.execContainer(c, cmd, env, tty, workDir, user, sessionID, isPrivileged)
|
|
||||||
if err != nil {
|
|
||||||
return errors.Wrapf(err, "error exec %s", c.ID())
|
|
||||||
}
|
|
||||||
+ defer os.Remove(processFile)
|
|
||||||
chWait := make(chan error)
|
|
||||||
go func() {
|
|
||||||
chWait <- execCmd.Wait()
|
|
||||||
diff -up libpod-921f98f8795eb9fcb19ce581020cfdeff6dee09f/libpod/oci.go.orig libpod-921f98f8795eb9fcb19ce581020cfdeff6dee09f/libpod/oci.go
|
|
||||||
--- libpod-921f98f8795eb9fcb19ce581020cfdeff6dee09f/libpod/oci.go.orig 2019-02-11 16:26:46.000000000 +0100
|
|
||||||
+++ libpod-921f98f8795eb9fcb19ce581020cfdeff6dee09f/libpod/oci.go 2021-02-12 10:38:48.768172416 +0100
|
|
||||||
@@ -15,10 +15,12 @@ import (
|
|
||||||
"syscall"
|
|
||||||
"time"
|
|
||||||
|
|
||||||
+ "github.com/containers/libpod/pkg/lookup"
|
|
||||||
"github.com/containers/libpod/pkg/rootless"
|
|
||||||
"github.com/containers/libpod/pkg/util"
|
|
||||||
"github.com/coreos/go-systemd/activation"
|
|
||||||
"github.com/cri-o/ocicni/pkg/ocicni"
|
|
||||||
+ "github.com/docker/docker/daemon/caps"
|
|
||||||
spec "github.com/opencontainers/runtime-spec/specs-go"
|
|
||||||
"github.com/opencontainers/selinux/go-selinux"
|
|
||||||
"github.com/opencontainers/selinux/go-selinux/label"
|
|
||||||
@@ -735,18 +737,23 @@ func (r *OCIRuntime) unpauseContainer(ct
|
|
||||||
// TODO: Add --detach support
|
|
||||||
// TODO: Convert to use conmon
|
|
||||||
// TODO: add --pid-file and use that to generate exec session tracking
|
|
||||||
-func (r *OCIRuntime) execContainer(c *Container, cmd, capAdd, env []string, tty bool, cwd, user, sessionID string) (*exec.Cmd, error) {
|
|
||||||
+func (r *OCIRuntime) execContainer(c *Container, cmd, env []string, tty bool, cwd, user, sessionID string, privileged bool) (*exec.Cmd, string, error) {
|
|
||||||
if len(cmd) == 0 {
|
|
||||||
- return nil, errors.Wrapf(ErrInvalidArg, "must provide a command to execute")
|
|
||||||
+ return nil, "", errors.Wrapf(ErrInvalidArg, "must provide a command to execute")
|
|
||||||
}
|
|
||||||
|
|
||||||
if sessionID == "" {
|
|
||||||
- return nil, errors.Wrapf(ErrEmptyID, "must provide a session ID for exec")
|
|
||||||
+ return nil, "", errors.Wrapf(ErrEmptyID, "must provide a session ID for exec")
|
|
||||||
}
|
|
||||||
|
|
||||||
runtimeDir, err := util.GetRootlessRuntimeDir()
|
|
||||||
if err != nil {
|
|
||||||
- return nil, err
|
|
||||||
+ return nil, "", err
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ processFile, err := prepareProcessExec(c, cmd, env, tty, cwd, user, sessionID, privileged)
|
|
||||||
+ if err != nil {
|
|
||||||
+ return nil, "", err
|
|
||||||
}
|
|
||||||
|
|
||||||
args := []string{}
|
|
||||||
@@ -756,34 +763,14 @@ func (r *OCIRuntime) execContainer(c *Co
|
|
||||||
|
|
||||||
args = append(args, "exec")
|
|
||||||
|
|
||||||
- if cwd != "" {
|
|
||||||
- args = append(args, "--cwd", cwd)
|
|
||||||
- }
|
|
||||||
+ args = append(args, "--process", processFile)
|
|
||||||
|
|
||||||
args = append(args, "--pid-file", c.execPidPath(sessionID))
|
|
||||||
|
|
||||||
- if tty {
|
|
||||||
- args = append(args, "--tty")
|
|
||||||
- } else {
|
|
||||||
- args = append(args, "--tty=false")
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- if user != "" {
|
|
||||||
- args = append(args, "--user", user)
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
if c.config.Spec.Process.NoNewPrivileges {
|
|
||||||
args = append(args, "--no-new-privs")
|
|
||||||
}
|
|
||||||
|
|
||||||
- for _, cap := range capAdd {
|
|
||||||
- args = append(args, "--cap", cap)
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- for _, envVar := range env {
|
|
||||||
- args = append(args, "--env", envVar)
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
// Append container ID and command
|
|
||||||
args = append(args, c.ID())
|
|
||||||
args = append(args, cmd...)
|
|
||||||
@@ -797,10 +784,10 @@ func (r *OCIRuntime) execContainer(c *Co
|
|
||||||
execCmd.Env = append(execCmd.Env, fmt.Sprintf("XDG_RUNTIME_DIR=%s", runtimeDir))
|
|
||||||
|
|
||||||
if err := execCmd.Start(); err != nil {
|
|
||||||
- return nil, errors.Wrapf(err, "cannot start container %s", c.ID())
|
|
||||||
+ return nil, "", errors.Wrapf(err, "cannot start container %s", c.ID())
|
|
||||||
}
|
|
||||||
|
|
||||||
- return execCmd, nil
|
|
||||||
+ return execCmd, processFile, nil
|
|
||||||
}
|
|
||||||
|
|
||||||
// execStopContainer stops all active exec sessions in a container
|
|
||||||
@@ -892,3 +879,110 @@ func (r *OCIRuntime) checkpointContainer
|
|
||||||
args = append(args, ctr.ID())
|
|
||||||
return utils.ExecCmdWithStdStreams(os.Stdin, os.Stdout, os.Stderr, nil, r.path, args...)
|
|
||||||
}
|
|
||||||
+
|
|
||||||
+// prepareProcessExec returns the path of the process.json used in runc exec -p.
|
|
||||||
+// Returns path to the created exec process file. This will need to be removed
|
|
||||||
+// by the caller when they're done, best effort.
|
|
||||||
+func prepareProcessExec(c *Container, cmd, env []string, tty bool, cwd, user, sessionID string, privileged bool) (string, error) {
|
|
||||||
+ filename := filepath.Join(c.bundlePath(), fmt.Sprintf("exec-process-%s", sessionID))
|
|
||||||
+ f, err := os.OpenFile(filename, os.O_CREATE|os.O_WRONLY, 0600)
|
|
||||||
+ if err != nil {
|
|
||||||
+ return "", err
|
|
||||||
+ }
|
|
||||||
+ defer f.Close()
|
|
||||||
+
|
|
||||||
+ pspec := c.config.Spec.Process
|
|
||||||
+ pspec.SelinuxLabel = c.config.ProcessLabel
|
|
||||||
+ pspec.Args = cmd
|
|
||||||
+ // We need to default this to false else it will inherit terminal as true
|
|
||||||
+ // from the container.
|
|
||||||
+ pspec.Terminal = false
|
|
||||||
+ if tty {
|
|
||||||
+ pspec.Terminal = true
|
|
||||||
+ }
|
|
||||||
+ if len(env) > 0 {
|
|
||||||
+ pspec.Env = append(pspec.Env, env...)
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if cwd != "" {
|
|
||||||
+ pspec.Cwd = cwd
|
|
||||||
+
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ var addGroups []string
|
|
||||||
+ var sgids []uint32
|
|
||||||
+
|
|
||||||
+ // if the user is empty, we should inherit the user that the container is currently running with
|
|
||||||
+ if user == "" {
|
|
||||||
+ user = c.config.User
|
|
||||||
+ addGroups = c.config.Groups
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ execUser, err := lookup.GetUserGroupInfo(c.state.Mountpoint, user, nil)
|
|
||||||
+ if err != nil {
|
|
||||||
+ return "", err
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if len(addGroups) > 0 {
|
|
||||||
+ sgids, err = lookup.GetContainerGroups(addGroups, c.state.Mountpoint, nil)
|
|
||||||
+ if err != nil {
|
|
||||||
+ return "", errors.Wrapf(err, "error looking up supplemental groups for container %s exec session %s", c.ID(), sessionID)
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ // If user was set, look it up in the container to get a UID to use on
|
|
||||||
+ // the host
|
|
||||||
+ if user != "" || len(sgids) > 0 {
|
|
||||||
+ if user != "" {
|
|
||||||
+ for _, sgid := range execUser.Sgids {
|
|
||||||
+ sgids = append(sgids, uint32(sgid))
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+ processUser := spec.User{
|
|
||||||
+ UID: uint32(execUser.Uid),
|
|
||||||
+ GID: uint32(execUser.Gid),
|
|
||||||
+ AdditionalGids: sgids,
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ pspec.User = processUser
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ allCaps := caps.GetAllCapabilities()
|
|
||||||
+ pspec.Capabilities.Effective = []string{}
|
|
||||||
+ if privileged {
|
|
||||||
+ pspec.Capabilities.Bounding = allCaps
|
|
||||||
+ } else {
|
|
||||||
+ pspec.Capabilities.Bounding = []string{}
|
|
||||||
+ }
|
|
||||||
+ pspec.Capabilities.Inheritable = pspec.Capabilities.Bounding
|
|
||||||
+ if execUser.Uid == 0 {
|
|
||||||
+ pspec.Capabilities.Effective = pspec.Capabilities.Bounding
|
|
||||||
+ pspec.Capabilities.Permitted = pspec.Capabilities.Bounding
|
|
||||||
+ pspec.Capabilities.Ambient = pspec.Capabilities.Bounding
|
|
||||||
+ } else {
|
|
||||||
+ pspec.Capabilities.Permitted = pspec.Capabilities.Effective
|
|
||||||
+ pspec.Capabilities.Ambient = pspec.Capabilities.Effective
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ hasHomeSet := false
|
|
||||||
+ for _, s := range pspec.Env {
|
|
||||||
+ if strings.HasPrefix(s, "HOME=") {
|
|
||||||
+ hasHomeSet = true
|
|
||||||
+ break
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+ if !hasHomeSet {
|
|
||||||
+ pspec.Env = append(pspec.Env, fmt.Sprintf("HOME=%s", execUser.Home))
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ processJSON, err := json.Marshal(pspec)
|
|
||||||
+ if err != nil {
|
|
||||||
+ return "", err
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if err := ioutil.WriteFile(filename, processJSON, 0644); err != nil {
|
|
||||||
+ return "", err
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ return filename, nil
|
|
||||||
+}
|
|
||||||
diff -up libpod-921f98f8795eb9fcb19ce581020cfdeff6dee09f/pkg/spec/spec.go.orig libpod-921f98f8795eb9fcb19ce581020cfdeff6dee09f/pkg/spec/spec.go
|
|
||||||
--- libpod-921f98f8795eb9fcb19ce581020cfdeff6dee09f/pkg/spec/spec.go.orig 2019-02-11 16:26:46.000000000 +0100
|
|
||||||
+++ libpod-921f98f8795eb9fcb19ce581020cfdeff6dee09f/pkg/spec/spec.go 2021-02-12 10:38:48.768172416 +0100
|
|
||||||
@@ -325,6 +325,14 @@ func CreateConfigToOCISpec(config *Creat
|
|
||||||
}
|
|
||||||
} else {
|
|
||||||
g.SetupPrivileged(true)
|
|
||||||
+ if config.User != "" {
|
|
||||||
+ user := strings.SplitN(config.User, ":", 2)[0]
|
|
||||||
+ if user != "root" && user != "0" {
|
|
||||||
+ g.Spec().Process.Capabilities.Effective = []string{}
|
|
||||||
+ g.Spec().Process.Capabilities.Permitted = []string{}
|
|
||||||
+ g.Spec().Process.Capabilities.Ambient = []string{}
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
|
|
||||||
// HANDLE SECCOMP
|
|
2060
SPECS/podman.spec
2060
SPECS/podman.spec
File diff suppressed because it is too large
Load Diff
Loading…
Reference in New Issue
Block a user