Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Don't set ambient caps; switch to moby/sys/capability #5754

Merged
merged 2 commits into from
Oct 2, 2024
Merged

Don't set ambient caps; switch to moby/sys/capability #5754

merged 2 commits into from
Oct 2, 2024

Conversation

kolyshkin
Copy link
Contributor

@kolyshkin kolyshkin commented Sep 25, 2024
edited
Loading

github.com/moby/sys/capability is a fork of the (no longer maintained) github.com/syndtr/gocapability package.

For the list of changes since the fork took place, see https://github.com/moby/sys/blob/main/capability/CHANGELOG.md

What type of PR is this?

/kind other

What this PR does / why we need it:

How to verify it

Which issue(s) this PR fixes:

Special notes for your reviewer:

Note that removing the AMBENT caps from chroot is a no-op -- since ambient caps couldn't be set without inheritable, practically they were not set since commit e7e55c9.

See also

Does this PR introduce a user-facing change?

none

@packit-as-a-service Packit-as-a-Service
Copy link

Ephemeral COPR build failed. @containers/packit-build please check.

@kolyshkin kolyshkin force-pushed the cap branch 2 times, most recently from ccd44dc to c48ee74 Compare September 26, 2024 08:20
@kolyshkin
Copy link
Contributor Author

I think I found a bug :)

[kir@kir-tp1 chroot]$ go test -run TestNoop -exec sudo  -v
=== RUN   TestNoop
    run_test.go:121: run: exit status 1: error setting capabilities for process: setting capabilities: operation not permitted
        subprocess exited with status 1
--- FAIL: TestNoop (0.08s)
FAIL
exit status 1
FAIL	github.com/containers/buildah/chroot	0.107s

One of the most important fixes in the capability package fork was this one: kolyshkin/capability@4d79446

Essentially, an error from setting ambient capabilities was ignored. Now it is not.

Most probably ambient capabilities are set without setting inheritable ones. We found the same issue in runc.

@kolyshkin
Copy link
Contributor Author

Most probably ambient capabilities are set without setting inheritable ones. We found the same issue in runc.

Right. Added a commit that fixes that.

@kolyshkin kolyshkin force-pushed the cap branch 2 times, most recently from 4653d45 to f4899b2 Compare September 26, 2024 08:26
@kolyshkin kolyshkin changed the title vendor: switch to moby/sys/capability Don't set ambient caps; switch to moby/sys/capability Sep 26, 2024
@rhatdan
Copy link
Member

rhatdan commented Sep 26, 2024

LGTM

@kolyshkin
Don't set ambient capabilities
37a6bde 
Ambient capabilities can't be raised without inheritable ones, and since we
don't raise inheritable, we should not raise ambient either.

This went unnoticed because of a bug in syndtr/gocapability which is
only fixed in its fork (see the next commit).

Amends commit e7e55c9.

Signed-off-by: Kir Kolyshkin <[email protected]>
@kolyshkin
vendor: switch to moby/sys/capability
95f2e10 
github.com/moby/sys/capability is a fork of the (no longer maintained)
github.com/syndtr/gocapability package.

For the list of changes since the fork took place, see
https://github.com/moby/sys/blob/main/capability/CHANGELOG.md

Signed-off-by: Kir Kolyshkin <[email protected]>
@kolyshkin kolyshkin marked this pull request as ready for review September 30, 2024 20:19
@kolyshkin kolyshkin mentioned this pull request Sep 30, 2024
Merged
@rhatdan
Copy link
Member

rhatdan commented Oct 2, 2024

@nalind @giuseppe @mtrmac @mheon @flouthoc PTAL

@mheon
Copy link
Member

mheon commented Oct 2, 2024

LGTM

@nalind
Copy link
Member

nalind commented Oct 2, 2024

LGTM, thanks!
/approve
/lgtm

@openshift-ci openshift-ci bot added the lgtm label Oct 2, 2024
@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Oct 2, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: kolyshkin, nalind

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved label Oct 2, 2024
@openshift-merge-bot openshift-merge-bot bot merged commit c68e17b into containers:main Oct 2, 2024
32 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@nalind nalind

Labels
approved kind/other lgtm
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@kolyshkin @rhatdan @mheon @nalind