Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Don't set ambient caps; switch to moby/sys/capability #5754

Draft
wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

Don't set ambient caps; switch to moby/sys/capability #5754

wants to merge 2 commits into from

Conversation

kolyshkin
Copy link
Contributor

@kolyshkin kolyshkin commented Sep 25, 2024
edited
Loading

github.com/moby/sys/capability is a fork of the (no longer maintained) github.com/syndtr/gocapability package.

For the list of changes since the fork took place, see https://github.com/moby/sys/blob/main/capability/CHANGELOG.md

What type of PR is this?

/kind other

What this PR does / why we need it:

How to verify it

Which issue(s) this PR fixes:

Special notes for your reviewer:

Note that removing the AMBENT caps from chroot is a no-op -- since ambient caps couldn't be set without inheritable, practically they were not set since commit e7e55c9.

See also

Does this PR introduce a user-facing change?

none

@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Sep 25, 2024

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: kolyshkin
Once this PR has been reviewed and has the lgtm label, please assign rhatdan for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@packit-as-a-service Packit-as-a-Service
Copy link

Ephemeral COPR build failed. @containers/packit-build please check.

@kolyshkin
Copy link
Contributor Author

I think I found a bug :)

[kir@kir-tp1 chroot]$ go test -run TestNoop -exec sudo  -v
=== RUN   TestNoop
    run_test.go:121: run: exit status 1: error setting capabilities for process: setting capabilities: operation not permitted
        subprocess exited with status 1
--- FAIL: TestNoop (0.08s)
FAIL
exit status 1
FAIL	github.com/containers/buildah/chroot	0.107s

One of the most important fixes in the capability package fork was this one: kolyshkin/capability@4d79446

Essentially, an error from setting ambient capabilities was ignored. Now it is not.

Most probably ambient capabilities are set without setting inheritable ones. We found the same issue in runc.

@kolyshkin
Copy link
Contributor Author

Most probably ambient capabilities are set without setting inheritable ones. We found the same issue in runc.

Right. Added a commit that fixes that.

@kolyshkin
Don't set ambient capabilities
6322d7a 
Ambient capabilities can't be raised without inheritable ones, and since we
don't raise inheritable, we should not raise ambient either.

This went unnoticed because of a bug in syndtr/gocapability which is
only fixed in its fork (see the next commit).

Amends commit e7e55c9.

Signed-off-by: Kir Kolyshkin <[email protected]>
@kolyshkin
vendor: switch to moby/sys/capability
f4899b2 
github.com/moby/sys/capability is a fork of the (no longer maintained)
github.com/syndtr/gocapability package.

For the list of changes since the fork took place, see
https://github.com/moby/sys/blob/main/capability/CHANGELOG.md

Signed-off-by: Kir Kolyshkin <[email protected]>
@kolyshkin kolyshkin changed the title vendor: switch to moby/sys/capability Don't set ambient caps; switch to moby/sys/capability Sep 26, 2024
@rhatdan
Copy link
Member

rhatdan commented Sep 26, 2024

LGTM

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
do-not-merge/work-in-progress kind/other
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@kolyshkin @rhatdan