summaryrefslogtreecommitdiffhomepage
path: root/runsc/specutils
diff options
context:
space:
mode:
authorKevin Krakauer <krakauer@google.com>2019-04-26 16:50:35 -0700
committerShentubot <shentubot@google.com>2019-04-26 16:51:46 -0700
commit43dff57b878edb5502daf486cbc13b058780dd56 (patch)
tree5e01968cd8067277c0f17340505e57e98d977b2a /runsc/specutils
parent5749f64314d38516badec156ab048d3523294a81 (diff)
Make raw sockets a toggleable feature disabled by default.
PiperOrigin-RevId: 245511019 Change-Id: Ia9562a301b46458988a6a1f0bbd5f07cbfcb0615
Diffstat (limited to 'runsc/specutils')
-rw-r--r--runsc/specutils/specutils.go22
1 files changed, 16 insertions, 6 deletions
diff --git a/runsc/specutils/specutils.go b/runsc/specutils/specutils.go
index af8d34535..32f81b8d4 100644
--- a/runsc/specutils/specutils.go
+++ b/runsc/specutils/specutils.go
@@ -198,20 +198,26 @@ func ReadMounts(f *os.File) ([]specs.Mount, error) {
// Capabilities takes in spec and returns a TaskCapabilities corresponding to
// the spec.
-func Capabilities(specCaps *specs.LinuxCapabilities) (*auth.TaskCapabilities, error) {
+func Capabilities(enableRaw bool, specCaps *specs.LinuxCapabilities) (*auth.TaskCapabilities, error) {
+ // Strip CAP_NET_RAW from all capability sets if necessary.
+ skipSet := map[linux.Capability]struct{}{}
+ if !enableRaw {
+ skipSet[linux.CAP_NET_RAW] = struct{}{}
+ }
+
var caps auth.TaskCapabilities
if specCaps != nil {
var err error
- if caps.BoundingCaps, err = capsFromNames(specCaps.Bounding); err != nil {
+ if caps.BoundingCaps, err = capsFromNames(specCaps.Bounding, skipSet); err != nil {
return nil, err
}
- if caps.EffectiveCaps, err = capsFromNames(specCaps.Effective); err != nil {
+ if caps.EffectiveCaps, err = capsFromNames(specCaps.Effective, skipSet); err != nil {
return nil, err
}
- if caps.InheritableCaps, err = capsFromNames(specCaps.Inheritable); err != nil {
+ if caps.InheritableCaps, err = capsFromNames(specCaps.Inheritable, skipSet); err != nil {
return nil, err
}
- if caps.PermittedCaps, err = capsFromNames(specCaps.Permitted); err != nil {
+ if caps.PermittedCaps, err = capsFromNames(specCaps.Permitted, skipSet); err != nil {
return nil, err
}
// TODO: Support ambient capabilities.
@@ -275,13 +281,17 @@ var capFromName = map[string]linux.Capability{
"CAP_AUDIT_READ": linux.CAP_AUDIT_READ,
}
-func capsFromNames(names []string) (auth.CapabilitySet, error) {
+func capsFromNames(names []string, skipSet map[linux.Capability]struct{}) (auth.CapabilitySet, error) {
var caps []linux.Capability
for _, n := range names {
c, ok := capFromName[n]
if !ok {
return 0, fmt.Errorf("unknown capability %q", n)
}
+ // Should we skip this capabilty?
+ if _, ok := skipSet[c]; ok {
+ continue
+ }
caps = append(caps, c)
}
return auth.CapabilitySetOfMany(caps), nil