If container will run as non root user, drop permitted, effective caps early

justincormack · justincormack · commit 15ff09395c00 · 2018-03-19T14:45:27.000-07:00
As soon as the initial executable in the container is executed as a non root user,
permitted and effective capabilities are dropped. Drop them earlier than this, so
that they are dropped before executing the file. The main effect of this is that
if `CAP_DAC_OVERRIDE` is set (the default) the user will not be able to execute
files they do not have permission to execute, which previously they could.

The old behaviour was somewhat surprising and the new one is definitely correct,
but it is not in any meaningful way exploitable, and I do not think it is
necessary to backport this fix. It is unlikely to have any negative effects as
almost all executables have world execute permission anyway.

Use the bounding set not the effective set as the canonical set of capabilities, as
effective will now vary.

Signed-off-by: Justin Cormack &lt;justin.cormack@docker.com&gt;
diff --git a/daemon/oci_linux.go b/daemon/oci_linux.go
@@ -255,7 +255,7 @@ func setCapabilities(s *specs.Spec, c *container.Container) error {
 	if c.HostConfig.Privileged {
 		caplist = caps.GetAllCapabilities()
 	} else {
-		caplist, err = caps.TweakCapabilities(s.Process.Capabilities.Effective, c.HostConfig.CapAdd, c.HostConfig.CapDrop)
+		caplist, err = caps.TweakCapabilities(s.Process.Capabilities.Bounding, c.HostConfig.CapAdd, c.HostConfig.CapDrop)
 		if err != nil {
 			return err
 		}
@@ -264,6 +264,12 @@ func setCapabilities(s *specs.Spec, c *container.Container) error {
 	s.Process.Capabilities.Bounding = caplist
 	s.Process.Capabilities.Permitted = caplist
 	s.Process.Capabilities.Inheritable = caplist
+	// setUser has already been executed here
+	// if non root drop capabilities in the way execve does
+	if s.Process.User.UID != 0 {
+		s.Process.Capabilities.Effective = []string{}
+		s.Process.Capabilities.Permitted = []string{}
+	}
 	return nil
 }
 
diff --git a/profiles/seccomp/seccomp.go b/profiles/seccomp/seccomp.go
@@ -105,7 +105,7 @@ Loop:
 		}
 		if len(call.Excludes.Caps) > 0 {
 			for _, c := range call.Excludes.Caps {
-				if inSlice(rs.Process.Capabilities.Effective, c) {
+				if inSlice(rs.Process.Capabilities.Bounding, c) {
 					continue Loop
 				}
 			}
@@ -117,7 +117,7 @@ Loop:
 		}
 		if len(call.Includes.Caps) > 0 {
 			for _, c := range call.Includes.Caps {
-				if !inSlice(rs.Process.Capabilities.Effective, c) {
+				if !inSlice(rs.Process.Capabilities.Bounding, c) {
 					continue Loop
 				}
 			}

Original file line number	Diff line number	Diff line change
`@@ -105,7 +105,7 @@ Loop:`
`105`	`105`	`}`
`106`	`106`	`if len(call.Excludes.Caps) > 0 {`
`107`	`107`	`for _, c := range call.Excludes.Caps {`
`108`		`- if inSlice(rs.Process.Capabilities.Effective, c) {`
	`108`	`+ if inSlice(rs.Process.Capabilities.Bounding, c) {`
`109`	`109`	`continue Loop`
`110`	`110`	`}`
`111`	`111`	`}`
`@@ -117,7 +117,7 @@ Loop:`
`117`	`117`	`}`
`118`	`118`	`if len(call.Includes.Caps) > 0 {`
`119`	`119`	`for _, c := range call.Includes.Caps {`
`120`		`- if !inSlice(rs.Process.Capabilities.Effective, c) {`
	`120`	`+ if !inSlice(rs.Process.Capabilities.Bounding, c) {`
`121`	`121`	`continue Loop`
`122`	`122`	`}`
`123`	`123`	`}`