Skip to content
This repository has been archived by the owner on May 6, 2020. It is now read-only.

Default capabilities: runc drops CAPs by default. cc-runtime/agent should do the same #818

Closed
mcastelino opened this issue Nov 17, 2017 · 2 comments
Closed

Default capabilities: runc drops CAPs by default. cc-runtime/agent should do the same #818

mcastelino opened this issue Nov 17, 2017 · 2 comments
Assignees
@mcastelino

Comments

@mcastelino
Copy link
Contributor

Description of problem

runc drops all elevated privileges by default when launching the container.
cc-runtime does not drop any privileges.

Even though the container workload runs in the virtual machine, not dropping capabilities can still cause issues. An example below

$ docker run --rm -it --runtime=runc alpine sh
# ip addr add 10.10.10.10/32 dev eth0
ip: RTNETLINK answers: Operation not permitted

grantley$ docker run --rm -it --runtime=runc --cap-add=NET_ADMIN alpine sh
# ip addr add 10.10.10.10/32 dev eth0

$ docker run --rm -it --runtime=cc-runtime  alpine sh
/ # ip addr add 10.10.10.10/32 dev eth0

Expected result

$ docker run --rm -it --runtime=cc-runtime  alpine sh
/ # ip addr add 10.10.10.10/32 dev eth0

should fail till we add support for elevating capabilities.
@mcastelino
Copy link
Contributor Author

This is not really a duplicate of #51
We should drop all CAPs to match the default runc container.

Adding CAPs can be done as a next step.

/cc @sboeuf @amshinde

@mcastelino
Copy link
Contributor Author

runc caps

$ docker run --runtime=runc -it capsh capsh --print
Current: = cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap+eip
Bounding set =cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap
Securebits: 00/0x0/1'b0
 secure-noroot: no (unlocked)
 secure-no-suid-fixup: no (unlocked)
 secure-keep-caps: no (unlocked)
uid=0(root)
gid=0(root)
groups=

cc-runtime caps

$ docker run --runtime=cc-runtime -it capsh capsh --print
Current: = cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,37+eip
Bounding set =cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,37
Securebits: 00/0x0/1'b0
 secure-noroot: no (unlocked)
 secure-no-suid-fixup: no (unlocked)
 secure-keep-caps: no (unlocked)
uid=0(root)
gid=0(root)
groups=

mcastelino added a commit to mcastelino/agent that referenced this issue Nov 17, 2017
@mcastelino
Capabilities: Limit the list of capabilities
45e9542 
Limit the list of capabilities to the same subset as runc

Fixes clearcontainers/runtime#818

Signed-off-by: Manohar Castelino <[email protected]>
@mcastelino mcastelino mentioned this issue Nov 17, 2017
Merged
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@mcastelino mcastelino

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@amyleeland @mcastelino @sboeuf