Skip to content

Commit

Permalink
capabilities: WARN, not ERROR, for unknown / unavailable capabilities
Browse files Browse the repository at this point in the history
This updates handling of capabilities to match the updated runtime specification,
in opencontainers/runtime-spec#1094.

Prior to that change, the specification required runtimes to produce a (fatal)
error if a container configuration requested capabilities that could not be
granted (either the capability is "unknown" to the runtime, not supported by the
kernel version in use, or not available in the environment that the runtime
operates in).

This caused problems in situations where the runtime was running in a restricted
environment (for example, docker-in-docker), or if there is a mismatch between
the list of capabilities known by higher-level runtimes and the OCI runtime.

Some examples:

- Kernel 5.8 introduced CAP_PERFMON, CAP_BPF, and CAP_CHECKPOINT_RESTORE
  capabilities. Docker 20.10.0 ("higher level runtime") shipped with
  an updated list of capabilities, and when creating a "privileged" container,
  would determine what capabilities are known by the kernel in use, and request
  all those capabilities (by including them in the container config).
  However, runc did not yet have an updated list of capabilities, and therefore
  reject the container specification, producing an error because the new
  capabilities were "unknown".
- When running nested containers, for example, when running docker-in-docker,
  the "inner" container may be using a more recent version of docker than the
  "outer" container. In this situation, the "outer" container may be missing
  capabilities that the inner container expects to be supported (based on
  kernel version). However, starting the container would fail, because the OCI
  runtime could not grant those capabilities (them not being available in the
  environment it's running in).

WARN (but otherwise ignore) capabilities that cannot be granted
--------------------------------------------------------------------------------

This patch changes the handling to WARN (but otherwise ignore) capabilities that
are requested in the container config, but cannot be granted, alleviating higher
level runtimes to detect what capabilities are supported (by the kernel, and
in the current environment), as well as avoiding failures in situations where
the higher-level runtime is aware of capabilities that are not (yet) supported
by runc.

Impact on security
--------------------------------------------------------------------------------

Given that `capabilities` is an "allow-list", ignoring unknown capabilities does
not impose a security risk; worst case, a container does not get all requested
capabilities granted and, as a result, some actions may fail.

Backward-compatibility
--------------------------------------------------------------------------------

This change should be fully backward compatible. Higher-level runtimes that
already dynamically adjust the list of requested capabilities can continue to do
so. Runtimes that do not adjust will see an improvement (containers can start
even if some of the requested capabilities are not granted). Container processes
MAY fail (as described in "impact on security"), but users can debug this
situation either by looking at the warnings produces by the OCI runtime, or using
tools such as `capsh` / `libcap` to get the list of actual capabilities in the
container.

Signed-off-by: Sebastiaan van Stijn <[email protected]>
  • Loading branch information
thaJeztah committed Mar 22, 2021
1 parent 3cc9670 commit 28f805b
Show file tree
Hide file tree
Showing 4 changed files with 159 additions and 27 deletions.
60 changes: 34 additions & 26 deletions libcontainer/capabilities/capabilities.go
Original file line number Diff line number Diff line change
Expand Up @@ -3,10 +3,11 @@
package capabilities

import (
"fmt"
"sort"
"strings"

"github.com/opencontainers/runc/libcontainer/configs"
"github.com/sirupsen/logrus"
"github.com/syndtr/gocapability/capability"
)

Expand Down Expand Up @@ -34,50 +35,57 @@ func init() {
}

// New creates a new Caps from the given Capabilities config. Unknown Capabilities
// or Capabilities that are unavailable in the current environment produce an error.
// or Capabilities that are unavailable in the current environment are ignored,
// printing a warning instead.
func New(capConfig *configs.Capabilities) (*Caps, error) {
var (
err error
c = Caps{caps: make(map[capability.CapType][]capability.Cap, len(capTypes))}
c Caps
)

if c.caps[capability.BOUNDING], err = capSlice(capConfig.Bounding); err != nil {
return nil, err
}
if c.caps[capability.EFFECTIVE], err = capSlice(capConfig.Effective); err != nil {
return nil, err
}
if c.caps[capability.INHERITABLE], err = capSlice(capConfig.Inheritable); err != nil {
return nil, err
}
if c.caps[capability.PERMITTED], err = capSlice(capConfig.Permitted); err != nil {
return nil, err
}
if c.caps[capability.AMBIENT], err = capSlice(capConfig.Ambient); err != nil {
return nil, err
unknownCaps := make(map[string]struct{})
c.caps = map[capability.CapType][]capability.Cap{
capability.BOUNDING: capSlice(capConfig.Bounding, unknownCaps),
capability.EFFECTIVE: capSlice(capConfig.Effective, unknownCaps),
capability.INHERITABLE: capSlice(capConfig.Inheritable, unknownCaps),
capability.PERMITTED: capSlice(capConfig.Permitted, unknownCaps),
capability.AMBIENT: capSlice(capConfig.Ambient, unknownCaps),
}
if c.pid, err = capability.NewPid2(0); err != nil {
return nil, err
}
if err = c.pid.Load(); err != nil {
return nil, err
}
if len(unknownCaps) > 0 {
logrus.Warn("ignoring unknown or unavailable capabilities: ", mapKeys(unknownCaps))
}
return &c, nil
}

// capSlice converts the slice of capability names in caps, to their numeric
// equivalent, and returns them as a slice. Unknown or unavailable capabilities
// produce an error.
func capSlice(caps []string) ([]capability.Cap, error) {
out := make([]capability.Cap, len(caps))
for i, c := range caps {
v, ok := capabilityMap[c]
if !ok {
return nil, fmt.Errorf("unknown capability %q", c)
// are not returned, but appended to unknownCaps.
func capSlice(caps []string, unknownCaps map[string]struct{}) []capability.Cap {
var out []capability.Cap
for _, c := range caps {
if v, ok := capabilityMap[c]; !ok {
unknownCaps[c] = struct{}{}
} else {
out = append(out, v)
}
out[i] = v
}
return out, nil
return out
}

// mapKeys returns the keys of input in sorted order
func mapKeys(input map[string]struct{}) []string {
var keys []string
for c := range input {
keys = append(keys, c)
}
sort.Strings(keys)
return keys
}

// Caps holds the capabilities for a container.
Expand Down
34 changes: 33 additions & 1 deletion libcontainer/capabilities/capabilities_linux_test.go
Original file line number Diff line number Diff line change
@@ -1,14 +1,18 @@
package capabilities

import (
"io/ioutil"
"os"
"testing"

"github.com/opencontainers/runc/libcontainer/configs"
"github.com/sirupsen/logrus"
"github.com/sirupsen/logrus/hooks/test"
"github.com/syndtr/gocapability/capability"
)

func TestNew(t *testing.T) {
cs := []string{"CAP_CHOWN"}
cs := []string{"CAP_CHOWN", "CAP_UNKNOWN", "CAP_UNKNOWN2"}
conf := configs.Capabilities{
Bounding: cs,
Effective: cs,
Expand All @@ -17,10 +21,36 @@ func TestNew(t *testing.T) {
Ambient: cs,
}

hook := test.NewGlobal()
defer hook.Reset()

logrus.SetOutput(ioutil.Discard)
caps, err := New(&conf)
logrus.SetOutput(os.Stderr)

if err != nil {
t.Error(err)
}
e := hook.AllEntries()
if len(e) != 1 {
t.Errorf("expected 1 warning, got %d", len(e))
}

expectedLogs := logrus.Entry{
Level: logrus.WarnLevel,
Message: "ignoring unknown or unavailable capabilities: [CAP_UNKNOWN CAP_UNKNOWN2]",
}

l := hook.LastEntry()
if l == nil {
t.Fatal("expected a warning, but got none")
}
if l.Level != expectedLogs.Level {
t.Errorf("expected %q, got %q", expectedLogs.Level, l.Level)
}
if l.Message != expectedLogs.Message {
t.Errorf("expected %q, got %q", expectedLogs.Message, l.Message)
}

if len(caps.caps) != len(capTypes) {
t.Errorf("expected %d capability types, got %d: %v", len(capTypes), len(caps.caps), caps.caps)
Expand All @@ -36,4 +66,6 @@ func TestNew(t *testing.T) {
continue
}
}

hook.Reset()
}

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions vendor/modules.txt
Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,7 @@ github.com/shurcooL/sanitized_anchor_name
# github.com/sirupsen/logrus v1.7.0
## explicit
github.com/sirupsen/logrus
github.com/sirupsen/logrus/hooks/test
# github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635
## explicit
github.com/syndtr/gocapability/capability
Expand Down

0 comments on commit 28f805b

Please sign in to comment.