Merge pull request #557 from mrunalp/nonewprivs
Add support for NoNewPrivileges
This commit is contained in:
Alexander Morozov
commit
533ee4d688
|
|
@ -171,6 +171,9 @@ type Config struct {
|
|||
// A default action to be taken if no rules match is also given.
|
||||
Seccomp *Seccomp `json:"seccomp"`
|
||||
|
||||
// NoNewPrivileges controls whether processes in the container can gain additional privileges.
|
||||
NoNewPrivileges bool `json:"no_new_privileges"`
|
||||
|
||||
// Hooks are a collection of actions to perform at various container lifecycle events.
|
||||
// Hooks are not able to be marshaled to json but they are also not needed to.
|
||||
Hooks *Hooks `json:"-"`
|
||||
|
|
|
|||
|
|
@ -29,6 +29,11 @@ func (l *linuxSetnsInit) Init() error {
|
|||
if err := setOomScoreAdj(l.config.Config.OomScoreAdj); err != nil {
|
||||
return err
|
||||
}
|
||||
if l.config.Config.NoNewPrivileges {
|
||||
if err := system.Prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); err != nil {
|
||||
return err
|
||||
}
|
||||
}
|
||||
if l.config.Config.Seccomp != nil {
|
||||
if err := seccomp.InitSeccomp(l.config.Config.Seccomp); err != nil {
|
||||
return err
|
||||
|
|
|
|||
|
|
@ -21,6 +21,10 @@ type linuxStandardInit struct {
|
|||
config *initConfig
|
||||
}
|
||||
|
||||
// PR_SET_NO_NEW_PRIVS isn't exposed in Golang so we define it ourselves copying the value
|
||||
// the kernel
|
||||
const PR_SET_NO_NEW_PRIVS = 0x26
|
||||
|
||||
func (l *linuxStandardInit) Init() error {
|
||||
// do not inherit the parent's session keyring
|
||||
sessKeyId, err := keyctl.JoinSessionKeyring("")
|
||||
|
|
@ -103,6 +107,11 @@ func (l *linuxStandardInit) Init() error {
|
|||
if err != nil {
|
||||
return err
|
||||
}
|
||||
if l.config.Config.NoNewPrivileges {
|
||||
if err := system.Prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); err != nil {
|
||||
return err
|
||||
}
|
||||
}
|
||||
// Tell our parent that we're ready to Execv. This must be done before the
|
||||
// Seccomp rules have been applied, because we need to be able to read and
|
||||
// write to a socket.
|
||||
|
|
@ -128,5 +137,6 @@ func (l *linuxStandardInit) Init() error {
|
|||
if syscall.Getppid() != l.parentPid {
|
||||
return syscall.Kill(syscall.Getpid(), syscall.SIGKILL)
|
||||
}
|
||||
|
||||
return system.Execv(l.config.Args[0], l.config.Args[0:], os.Environ())
|
||||
}
|
||||
|
|
|
|||
|
|
@ -112,3 +112,11 @@ func RunningInUserNS() bool {
|
|||
}
|
||||
return true
|
||||
}
|
||||
|
||||
func Prctl(option int, arg2, arg3, arg4, arg5 uintptr) (err error) {
|
||||
_, _, e1 := syscall.Syscall6(syscall.SYS_PRCTL, uintptr(option), arg2, arg3, arg4, arg5, 0)
|
||||
if e1 != 0 {
|
||||
err = e1
|
||||
}
|
||||
return
|
||||
}
|
||||
|
|
|
|||
2
spec.go
2
spec.go
|
|
@ -140,6 +140,7 @@ var specCommand = cli.Command{
|
|||
Soft: uint64(1024),
|
||||
},
|
||||
},
|
||||
NoNewPrivileges: true,
|
||||
},
|
||||
}
|
||||
|
||||
|
|
@ -300,6 +301,7 @@ func createLibcontainerConfig(cgroupName string, spec *specs.LinuxSpec) (*config
|
|||
config.Sysctl = spec.Linux.Sysctl
|
||||
config.ProcessLabel = spec.Linux.SelinuxProcessLabel
|
||||
config.AppArmorProfile = spec.Linux.ApparmorProfile
|
||||
config.NoNewPrivileges = spec.Linux.NoNewPrivileges
|
||||
for _, g := range spec.Process.User.AdditionalGids {
|
||||
config.AdditionalGroups = append(config.AdditionalGroups, strconv.FormatUint(uint64(g), 10))
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue