Merge pull request #5206 from rhatdan/capabilities

Allow devs to set labels in container images for default capabilities.

Author: openshift-merge-robot

docs/source/markdown/podman-build.1.md

@@ -279,6 +279,16 @@ BUILDAH\_ISOLATION environment variable.  `export BUILDAH_ISOLATION=oci`
 
 Add an image *label* (e.g. label=*value*) to the image metadata. Can be used multiple times.
 
+Users can set a special LABEL **io.containers.capabilities=CAP1,CAP2,CAP3** in
+a Containerfile that specified the list of Linux capabilities required for the
+container to run properly. This label specified in a container image tells
+Podman to run the container with just these capabilties. Podman launches the
+container with just the specified capabilties, as long as this list of
+capabilities is a subset of the default list.
+
+If the specified capabilities are not in the default set, Podman will
+print an error message and will run the container with the default capabilities.
+
 **--layers**
 
 Cache intermediate images during the build process (Default is `true`).

docs/source/markdown/podman-commit.1.md

@@ -60,8 +60,9 @@ Suppress output
 
 ## EXAMPLES
 
+### Create image from container with entrypoint and label
 ```
-$ podman commit --change CMD=/bin/bash --change ENTRYPOINT=/bin/sh --change LABEL=blue=image reverent_golick image-committed
+$ podman commit --change CMD=/bin/bash --change ENTRYPOINT=/bin/sh --change "LABEL blue=image" reverent_golick image-committed
 Getting image source signatures
 Copying blob sha256:b41deda5a2feb1f03a5c1bb38c598cbc12c9ccd675f438edc6acd815f7585b86
  25.80 MB / 25.80 MB [======================================================] 0s
@@ -72,26 +73,37 @@ Storing signatures
 e3ce4d93051ceea088d1c242624d659be32cf1667ef62f1d16d6b60193e2c7a8
 ```
 
+### Create image from container with commit message
 ```
-$ podman commit -q --message "committing container to image" reverent_golick image-committed
-e3ce4d93051ceea088d1c242624d659be32cf1667ef62f1d16d6b60193e2c7a8
+$ podman commit -q --message "committing container to image"
+reverent_golick image-committed
+e3ce4d93051ceea088d1c242624d659be32cf1667ef62f1d16d6b60193e2c7a8 ```
 ```
 
+### Create image from container with author
 ```
 $ podman commit -q --author "firstName lastName" reverent_golick image-committed
 e3ce4d93051ceea088d1c242624d659be32cf1667ef62f1d16d6b60193e2c7a8
 ```
 
+### Pause a running container while creating the image
 ```
-$ podman commit -q --pause=false containerID image-committed
+$ podman commit -q --pause=true containerID image-committed
 e3ce4d93051ceea088d1c242624d659be32cf1667ef62f1d16d6b60193e2c7a8
 ```
 
+### Create an image from a container with a default image tag
 ```
 $ podman commit containerID
 e3ce4d93051ceea088d1c242624d659be32cf1667ef62f1d16d6b60193e2c7a8
 ```
 
+### Create an image from container with default required capabilities are SETUID and SETGID
+```
+$ podman commit -q --change LABEL=io.containers.capabilities=setuid,setgid epic_nobel privimage
+400d31a3f36dca751435e80a0e16da4859beb51ff84670ce6bdc5edb30b94066
+```
+
 ## SEE ALSO
 podman(1), podman-run(1), podman-create(1)
 

go.mod

@@ -9,7 +9,7 @@ require (
 	github.com/containernetworking/cni v0.7.2-0.20190904153231-83439463f784
 	github.com/containernetworking/plugins v0.8.5
 	github.com/containers/buildah v1.14.1-0.20200227103754-f0c3fd7c3d34
-	github.com/containers/common v0.4.2 // indirect
+	github.com/containers/common v0.4.2
 	github.com/containers/conmon v2.0.10+incompatible
 	github.com/containers/image/v5 v5.2.1
 	github.com/containers/psgo v1.4.0

go.sum

@@ -9,9 +9,9 @@ import (
 	"os"
 	"time"
 
+	"github.com/containers/common/pkg/capabilities"
 	"github.com/containers/libpod/libpod/define"
 	"github.com/containers/libpod/libpod/events"
-	"github.com/containers/libpod/pkg/capabilities"
 	"github.com/containers/storage/pkg/stringid"
 	"github.com/opentracing/opentracing-go"
 	"github.com/pkg/errors"

libpod/container_api.go

@@ -112,6 +112,7 @@ type NetworkConfig struct {
 type SecurityConfig struct {
 	CapAdd                  []string // cap-add
 	CapDrop                 []string // cap-drop
+	CapRequired             []string // cap-required
 	LabelOpts               []string //SecurityOpts
 	NoNewPrivs              bool     //SecurityOpts
 	ApparmorProfile         string   //SecurityOpts

pkg/capabilities/capabilities.go

@@ -4,11 +4,13 @@ import (
 	"fmt"
 	"strings"
 
+	"github.com/containers/common/pkg/capabilities"
 	"github.com/containers/libpod/libpod"
-	"github.com/containers/libpod/pkg/capabilities"
+	"github.com/containers/libpod/pkg/util"
 	"github.com/opencontainers/runtime-tools/generate"
 	"github.com/opencontainers/selinux/go-selinux/label"
 	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
 )
 
 // ToCreateOptions convert the SecurityConfig to a slice of container create
@@ -113,28 +115,49 @@ func (c *SecurityConfig) ConfigureGenerator(g *generate.Generator, user *UserCon
 
 	configSpec := g.Config
 	var err error
-	var caplist []string
+	var defaultCaplist []string
 	bounding := configSpec.Process.Capabilities.Bounding
 	if useNotRoot(user.User) {
-		configSpec.Process.Capabilities.Bounding = caplist
+		configSpec.Process.Capabilities.Bounding = defaultCaplist
 	}
-	caplist, err = capabilities.MergeCapabilities(configSpec.Process.Capabilities.Bounding, c.CapAdd, c.CapDrop)
+	defaultCaplist, err = capabilities.MergeCapabilities(configSpec.Process.Capabilities.Bounding, c.CapAdd, c.CapDrop)
 	if err != nil {
 		return err
 	}
 
-	configSpec.Process.Capabilities.Bounding = caplist
-	configSpec.Process.Capabilities.Permitted = caplist
-	configSpec.Process.Capabilities.Inheritable = caplist
-	configSpec.Process.Capabilities.Effective = caplist
-	configSpec.Process.Capabilities.Ambient = caplist
+	privCapRequired := []string{}
+
+	if !c.Privileged && len(c.CapRequired) > 0 {
+		// Pass CapRequired in CapAdd field to normalize capabilties names
+		capRequired, err := capabilities.MergeCapabilities(nil, c.CapRequired, nil)
+		if err != nil {
+			logrus.Errorf("capabilties requested by user or image are not valid: %q", strings.Join(c.CapRequired, ","))
+		} else {
+			// Verify all capRequiered are in the defaultCapList
+			for _, cap := range capRequired {
+				if !util.StringInSlice(cap, defaultCaplist) {
+					privCapRequired = append(privCapRequired, cap)
+				}
+			}
+		}
+		if len(privCapRequired) == 0 {
+			defaultCaplist = capRequired
+		} else {
+			logrus.Errorf("capabilties requested by user or image are not allowed by default: %q", strings.Join(privCapRequired, ","))
+		}
+	}
+	configSpec.Process.Capabilities.Bounding = defaultCaplist
+	configSpec.Process.Capabilities.Permitted = defaultCaplist
+	configSpec.Process.Capabilities.Inheritable = defaultCaplist
+	configSpec.Process.Capabilities.Effective = defaultCaplist
+	configSpec.Process.Capabilities.Ambient = defaultCaplist
 	if useNotRoot(user.User) {
-		caplist, err = capabilities.MergeCapabilities(bounding, c.CapAdd, c.CapDrop)
+		defaultCaplist, err = capabilities.MergeCapabilities(bounding, c.CapAdd, c.CapDrop)
 		if err != nil {
 			return err
 		}
 	}
-	configSpec.Process.Capabilities.Bounding = caplist
+	configSpec.Process.Capabilities.Bounding = defaultCaplist
 
 	// HANDLE SECCOMP
 	if c.SeccompProfilePath != "unconfined" {

pkg/spec/createconfig.go

@@ -3,13 +3,15 @@ package createconfig
 import (
 	"strings"
 
+	"github.com/containers/common/pkg/capabilities"
 	"github.com/containers/libpod/libpod"
 	libpodconfig "github.com/containers/libpod/libpod/config"
 	"github.com/containers/libpod/libpod/define"
 	"github.com/containers/libpod/pkg/cgroups"
 	"github.com/containers/libpod/pkg/env"
 	"github.com/containers/libpod/pkg/rootless"
 	"github.com/containers/libpod/pkg/sysinfo"
+	"github.com/containers/libpod/pkg/util"
 	"github.com/docker/go-units"
 	"github.com/opencontainers/runc/libcontainer/user"
 	spec "github.com/opencontainers/runtime-spec/specs-go"
@@ -330,6 +332,18 @@ func (config *CreateConfig) createConfigToOCISpec(runtime *libpod.Runtime, userM
 	}
 	configSpec := g.Config
 
+	// If the container image specifies an label with a
+	// capabilities.ContainerImageLabel then split the comma separated list
+	// of capabilities and record them.  This list indicates the only
+	// capabilities, required to run the container.
+	var capRequired []string
+	for key, val := range config.Labels {
+		if util.StringInSlice(key, capabilities.ContainerImageLabels) {
+			capRequired = strings.Split(val, ",")
+		}
+	}
+	config.Security.CapRequired = capRequired
+
 	if err := config.Security.ConfigureGenerator(&g, &config.User); err != nil {
 		return nil, err
 	}

pkg/spec/security.go

@@ -3,9 +3,9 @@ package specgen
 import (
 	"os"
 
+	"github.com/containers/common/pkg/capabilities"
 	"github.com/containers/libpod/libpod"
 	"github.com/containers/libpod/libpod/image"
-	"github.com/containers/libpod/pkg/capabilities"
 	"github.com/cri-o/ocicni/pkg/ocicni"
 	spec "github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/opencontainers/runtime-tools/generate"