From df19888f83c8718a570cdfb07b185143524cdce2 Mon Sep 17 00:00:00 2001
From: "rongfu.leng" <rongfu.leng@daocloud.io>
Date: Mon, 23 Oct 2023 23:13:19 +0800
Subject: [PATCH] add warning use inheritable Capabilities

Signed-off-by: rongfu.leng <rongfu.leng@daocloud.io>
---
 pkg/cri/server/service.go      |  3 ++
 pkg/cri/server/service_test.go | 59 ++++++++++++++++++++++++++++++++++
 2 files changed, 62 insertions(+)

diff --git a/pkg/cri/server/service.go b/pkg/cri/server/service.go
index 058c28878036..070c81be462d 100644
--- a/pkg/cri/server/service.go
+++ b/pkg/cri/server/service.go
@@ -417,6 +417,9 @@ func loadBaseOCISpecs(config *criconfig.Config) (map[string]*oci.Spec, error) {
 			return nil, fmt.Errorf("failed to load base OCI spec from file: %s: %w", cfg.BaseRuntimeSpec, err)
 		}
 
+		if spec.Process != nil && spec.Process.Capabilities != nil && len(spec.Process.Capabilities.Inheritable) > 0 {
+			log.L.WithField("base_runtime_spec", cfg.BaseRuntimeSpec).Warn("Provided base runtime spec includes inheritable capabilities, which may be unsafe. See CVE-2022-24769 for more details.")
+		}
 		specs[cfg.BaseRuntimeSpec] = spec
 	}
 
diff --git a/pkg/cri/server/service_test.go b/pkg/cri/server/service_test.go
index 960f43ce53ce..41b997f9bf8c 100644
--- a/pkg/cri/server/service_test.go
+++ b/pkg/cri/server/service_test.go
@@ -17,7 +17,9 @@
 package server
 
 import (
+	"bytes"
 	"encoding/json"
+	"io"
 	"os"
 	"testing"
 
@@ -33,6 +35,9 @@ import (
 	servertesting "github.com/containerd/containerd/v2/pkg/cri/testing"
 	ostesting "github.com/containerd/containerd/v2/pkg/os/testing"
 	"github.com/containerd/containerd/v2/pkg/registrar"
+	"github.com/containerd/log"
+	"github.com/opencontainers/runtime-spec/specs-go"
+	"github.com/sirupsen/logrus"
 )
 
 // newTestCRIService creates a fake criService for test.
@@ -82,3 +87,57 @@ func TestLoadBaseOCISpec(t *testing.T) {
 	assert.Equal(t, "1.0.2", out.Version)
 	assert.Equal(t, "default", out.Hostname)
 }
+
+func Test_loadBaseOCISpecs(t *testing.T) {
+	spec := oci.Spec{
+		Version:  "1.0.2",
+		Hostname: "default",
+		Process: &specs.Process{
+			Capabilities: &specs.LinuxCapabilities{
+				Inheritable: []string{"CAP_NET_RAW"},
+			},
+		},
+	}
+	file, err := os.CreateTemp("", "spec-test-")
+	require.NoError(t, err)
+	defer func() {
+		assert.NoError(t, file.Close())
+		assert.NoError(t, os.RemoveAll(file.Name()))
+	}()
+	err = json.NewEncoder(file).Encode(&spec)
+	require.NoError(t, err)
+	config := criconfig.Config{}
+	config.Runtimes = map[string]criconfig.Runtime{
+		"runc": {BaseRuntimeSpec: file.Name()},
+	}
+	var buffer bytes.Buffer
+	logger := &logrus.Logger{
+		Out:          &buffer,
+		Formatter:    new(logrus.TextFormatter),
+		Hooks:        make(logrus.LevelHooks),
+		Level:        logrus.InfoLevel,
+		ExitFunc:     os.Exit,
+		ReportCaller: false,
+	}
+	log.L = logrus.NewEntry(logger)
+	tests := []struct {
+		name    string
+		args    *criconfig.Config
+		message string
+	}{
+		{
+			name:    "args is not nil,print warning",
+			args:    &config,
+			message: "Provided base runtime spec includes inheritable capabilities, which may be unsafe. See CVE-2022-24769 for more details.",
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			loadBaseOCISpecs(tt.args)
+			readAll, _ := io.ReadAll(&buffer)
+			if tt.message != "" {
+				assert.Contains(t, string(readAll), tt.message)
+			}
+		})
+	}
+}