Skip to content

Commit

Permalink
Merge pull request #20252 from vrothberg/privileged
Browse files Browse the repository at this point in the history
containers.conf: add `privileged` field to containers table
  • Loading branch information
openshift-ci[bot] authored Oct 7, 2023
2 parents b7f708a + 362eca6 commit e9d6ffa
Show file tree
Hide file tree
Showing 14 changed files with 81 additions and 16 deletions.
2 changes: 1 addition & 1 deletion cmd/podman/common/create.go
Original file line number Diff line number Diff line change
Expand Up @@ -348,7 +348,7 @@ func DefineCreateFlags(cmd *cobra.Command, cf *entities.ContainerCreateOptions,
_ = cmd.RegisterFlagCompletionFunc(podIDFileFlagName, completion.AutocompleteDefault)
createFlags.BoolVar(
&cf.Privileged,
"privileged", false,
"privileged", podmanConfig.ContainersConfDefaultsRO.Containers.Privileged,
"Give extended privileges to container",
)
createFlags.BoolVarP(
Expand Down
3 changes: 2 additions & 1 deletion cmd/podman/containers/exec.go
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,7 @@ var (
)

func execFlags(cmd *cobra.Command) {
podmanConfig := registry.PodmanConfig()
flags := cmd.Flags()

flags.SetInterspersed(false)
Expand All @@ -71,7 +72,7 @@ func execFlags(cmd *cobra.Command) {
_ = cmd.RegisterFlagCompletionFunc(envFileFlagName, completion.AutocompleteDefault)

flags.BoolVarP(&execOpts.Interactive, "interactive", "i", false, "Keep STDIN open even if not attached")
flags.BoolVar(&execOpts.Privileged, "privileged", false, "Give the process extended Linux capabilities inside the container. The default is false")
flags.BoolVar(&execOpts.Privileged, "privileged", podmanConfig.ContainersConfDefaultsRO.Containers.Privileged, "Give the process extended Linux capabilities inside the container. The default is false")
flags.BoolVarP(&execOpts.Tty, "tty", "t", false, "Allocate a pseudo-TTY. The default is false")

userFlagName := "user"
Expand Down
5 changes: 4 additions & 1 deletion docs/source/markdown/options/privileged.md
Original file line number Diff line number Diff line change
Expand Up @@ -16,5 +16,8 @@ mode (**--systemd=always**).
A privileged container turns off the security features that isolate the
container from the host. Dropped Capabilities, limited devices, read-only mount
points, Apparmor/SELinux separation, and Seccomp filters are all disabled.
Due to the disabled security features, the privileged field should almost never
be set as containers can easily break out of confinement.

Rootless containers cannot have more privileges than the account that launched them.
Containers running in a user namespace (e.g., rootless containers) cannot have
more privileges than the user that launched them.
2 changes: 1 addition & 1 deletion go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ require (
github.com/containernetworking/cni v1.1.2
github.com/containernetworking/plugins v1.3.0
github.com/containers/buildah v1.32.0
github.com/containers/common v0.56.1-0.20231002091908-745eaa498509
github.com/containers/common v0.56.1-0.20231005124809-b4ef9cdeab5b
github.com/containers/conmon v2.0.20+incompatible
github.com/containers/gvisor-tap-vsock v0.7.1
github.com/containers/image/v5 v5.28.0
Expand Down
4 changes: 2 additions & 2 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -249,8 +249,8 @@ github.com/containernetworking/plugins v1.3.0 h1:QVNXMT6XloyMUoO2wUOqWTC1hWFV62Q
github.com/containernetworking/plugins v1.3.0/go.mod h1:Pc2wcedTQQCVuROOOaLBPPxrEXqqXBFt3cZ+/yVg6l0=
github.com/containers/buildah v1.32.0 h1:uz5Rcf7lGeStj7iPTBgO4UdhQYZqMMzyt9suDf16k1k=
github.com/containers/buildah v1.32.0/go.mod h1:sN3rA3DbnqekNz3bNdkqWduuirYDuMs54LUCOZOomBE=
github.com/containers/common v0.56.1-0.20231002091908-745eaa498509 h1:og5WEvZ2R4WMaO7L3F+Nfq0vfhtIZBxfG6BOVpG+Vfs=
github.com/containers/common v0.56.1-0.20231002091908-745eaa498509/go.mod h1:8whK9BaTeJqaSTAM0r2A7OdW+XVS+4X9SVh0D6zxpek=
github.com/containers/common v0.56.1-0.20231005124809-b4ef9cdeab5b h1:LIHpr2o8WakQ48q2GAQZlMAG+zsVJPOQSLraxP7j9fI=
github.com/containers/common v0.56.1-0.20231005124809-b4ef9cdeab5b/go.mod h1:8gifkvVxN1oOHJ9Yp/SHWcN6MlxdC0gZCF2+MaWjErc=
github.com/containers/conmon v2.0.20+incompatible h1:YbCVSFSCqFjjVwHTPINGdMX1F6JXHGTUje2ZYobNrkg=
github.com/containers/conmon v2.0.20+incompatible/go.mod h1:hgwZ2mtuDrppv78a/cOBNiCm6O0UMWGx1mu7P00nu5I=
github.com/containers/gvisor-tap-vsock v0.7.1 h1:+Rc+sOPplrkQb/BUXeN0ug8TxjgyrIqo/9P/eNS2A4c=
Expand Down
5 changes: 4 additions & 1 deletion pkg/api/handlers/libpod/containers_create.go
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@ import (
"github.com/containers/podman/v4/pkg/specgen"
"github.com/containers/podman/v4/pkg/specgen/generate"
"github.com/containers/podman/v4/pkg/specgenutil"
"github.com/sirupsen/logrus"
)

// CreateContainer takes a specgenerator and makes a container. It returns
Expand All @@ -31,14 +32,16 @@ func CreateContainer(w http.ResponseWriter, r *http.Request) {
UseImageHosts: conf.Containers.NoHosts,
},
ContainerSecurityConfig: specgen.ContainerSecurityConfig{
Umask: conf.Containers.Umask,
Umask: conf.Containers.Umask,
Privileged: conf.Containers.Privileged,
},
}

if err := json.NewDecoder(r.Body).Decode(&sg); err != nil {
utils.Error(w, http.StatusInternalServerError, fmt.Errorf("decode(): %w", err))
return
}
logrus.Errorf("Privileged: %v", sg.ContainerSecurityConfig.Privileged)
if sg.Passwd == nil {
t := true
sg.Passwd = &t
Expand Down
28 changes: 25 additions & 3 deletions test/system/800-config.bats
Original file line number Diff line number Diff line change
Expand Up @@ -188,12 +188,34 @@ EOF
cat > $conf_tmp <<EOF
[containers]
env_host=true
privileged=true
EOF

# Make sure env_host variable is read
random_env_var="expected_env_var_$(random_string 15)"
FOO="$random_env_var" run_podman --module=$conf_tmp run --rm $IMAGE /bin/printenv FOO
is "$output" "$random_env_var" "--module should yield injecting host env vars into the container"
FOO="$random_env_var" run_podman --module=$conf_tmp run -d --name=$cname $IMAGE top
cname="$output"

# Make sure `env_host` is read
run_podman container inspect $cname --format "{{.Config.Env}}"
assert "$output" =~ "FOO=$random_env_var" "--module should yield injecting host env vars into the container"

# Make sure `privileged` is read during container creation
run_podman container inspect $cname --format "{{.HostConfig.Privileged}}"
assert "$output" = "true" "--module should enable a privileged container"

run_podman rm -f -t0 $cname

# Make sure `privileged` is read during exec, which requires running a
# non-privileged container.
run_podman run -d $IMAGE top
cname="$output"

run_podman container exec $cname grep CapBnd /proc/self/status
non_privileged_caps="$output"
run_podman --module=$conf_tmp container exec $cname grep CapBnd /proc/self/status
assert "$output" != "$non_privileged_caps" "--module should enable a prvileged exec session"

run_podman rm -f -t0 $cname
}

# vim: filetype=sh
2 changes: 1 addition & 1 deletion vendor/github.com/containers/common/libimage/copier.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion vendor/github.com/containers/common/libimage/filters.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

14 changes: 13 additions & 1 deletion vendor/github.com/containers/common/pkg/config/config.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

12 changes: 12 additions & 0 deletions vendor/github.com/containers/common/pkg/config/containers.conf

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion vendor/modules.txt
Original file line number Diff line number Diff line change
Expand Up @@ -164,7 +164,7 @@ github.com/containers/buildah/pkg/sshagent
github.com/containers/buildah/pkg/util
github.com/containers/buildah/pkg/volumes
github.com/containers/buildah/util
# github.com/containers/common v0.56.1-0.20231002091908-745eaa498509
# github.com/containers/common v0.56.1-0.20231005124809-b4ef9cdeab5b
## explicit; go 1.18
github.com/containers/common/libimage
github.com/containers/common/libimage/define
Expand Down

1 comment on commit e9d6ffa

@packit-as-a-service
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

podman-next COPR build failed. @containers/packit-build please check.

Please sign in to comment.