diff options
| author | Fabricio Voznika <fvoznika@google.com> | 2018-06-08 09:58:29 -0700 |
|---|---|---|
| committer | Shentubot <shentubot@google.com> | 2018-06-08 09:59:26 -0700 |
| commit | 5c51bc51e43a0f1d1f06ae490b0d352d1b483766 (patch) | |
| tree | 356f35ee9f4980879a0b1ae2f975fae1e041de18 /runsc/cmd/gofer.go | |
| parent | 5c37097e34a513845d77bb8b7240f0074aa1c1e9 (diff) | |
Drop capabilities not needed by Gofer
PiperOrigin-RevId: 199808391
Change-Id: Ib37a4fb6193dc85c1f93bc16769d6aa41854b9d4
Diffstat (limited to 'runsc/cmd/gofer.go')
| -rw-r--r-- | runsc/cmd/gofer.go | 30 |
1 files changed, 30 insertions, 0 deletions
diff --git a/runsc/cmd/gofer.go b/runsc/cmd/gofer.go index 844e16dbf..39803bde5 100644 --- a/runsc/cmd/gofer.go +++ b/runsc/cmd/gofer.go @@ -15,11 +15,13 @@ package cmd import ( + "os" "sync" "context" "flag" "github.com/google/subcommands" + specs "github.com/opencontainers/runtime-spec/specs-go" "gvisor.googlesource.com/gvisor/pkg/log" "gvisor.googlesource.com/gvisor/pkg/p9" "gvisor.googlesource.com/gvisor/pkg/unet" @@ -32,6 +34,7 @@ import ( type Gofer struct { bundleDir string ioFDs intFlags + applyCaps bool } // Name implements subcommands.Command. @@ -53,6 +56,7 @@ func (*Gofer) Usage() string { func (g *Gofer) SetFlags(f *flag.FlagSet) { f.StringVar(&g.bundleDir, "bundle", "", "path to the root of the bundle directory, defaults to the current directory") f.Var(&g.ioFDs, "io-fds", "list of FDs to connect 9P servers. They must follow this order: root first, then mounts as defined in the spec") + f.BoolVar(&g.applyCaps, "apply-caps", true, "if true, apply capabilities to restrict what the Gofer process can do") } // Execute implements subcommands.Command. @@ -66,6 +70,32 @@ func (g *Gofer) Execute(_ context.Context, f *flag.FlagSet, args ...interface{}) if err != nil { Fatalf("error reading spec: %v", err) } + + if g.applyCaps { + // Minimal set of capabilities needed by the Gofer to operate on files. + caps := []string{ + "CAP_CHOWN", + "CAP_DAC_OVERRIDE", + "CAP_DAC_READ_SEARCH", + "CAP_FOWNER", + "CAP_FSETID", + } + lc := &specs.LinuxCapabilities{ + Bounding: caps, + Effective: caps, + Permitted: caps, + } + + // Disable caps when calling myself again. + // Note: minimal argument handling for the default case to keep it simple. + args := os.Args + args = append(args, "--apply-caps=false") + if err := setCapsAndCallSelf(spec, args, lc); err != nil { + Fatalf("Unable to apply caps: %v", err) + } + panic("unreachable") + } + specutils.LogSpec(spec) // Start with root mount, then add any other addition mount as needed. |