Fix capability detection for privileged containers #1086
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Privileged containers do not list each cap by name,
instead they lead with
=eip
and selectively removecaps with
cap_foo_bar-eip
.Instead we can use the
--has-p
flag of capsh to checkfor the permitted cap.
See: https://k3a.me/linux-capabilities-in-a-nutshell/
See: https://man7.org/linux/man-pages/man1/capsh.1.html
Motivation and Context
This will allow privileged containers to not fail the
fix_capabilities
check as they do today.How Has This Been Tested?
Confirmed on a Ubuntu desktop environment with Docker 20.10 that privileged containers do not show all the caps expected by the
fix_capabilities
function. Instead it adopts all caps (=eip
) and specifically removes some.$ docker run --rm -it alpine sh -c 'apk add --no-cache libcap && capsh == --print | grep Current: | grep -q cap_net_admin ; echo $?' 1
$ docker run --rm -it --cap-add NET_ADMIN alpine sh -c 'apk add --no-cache libcap && capsh == --print | grep Current: | grep -q cap_net_admin ; echo $?' 0
However, the
--has-p
flag will correctly identify the permitted capabilities.$ docker run --rm -it alpine sh -c 'apk add --no-cache libcap && capsh --has-p=cap_net_admin ; echo $?' cap[cap_net_admin] not permitted 1
$ docker run --rm -it --cap-add NET_ADMIN alpine sh -c 'apk add --no-cache libcap && capsh --has-p=cap_net_admin ; echo $?' 0
Types of changes
Checklist: