Change libcontainer to drop all capabilities by default. Only keeps

vmarmol · vmarmol · commit 9d6875d19d39 · 2014-05-16T00:57:58.000Z
those that were specified in the config. This commit also explicitly
adds a set of capabilities that we were silently not dropping and were
assumed by the tests.

Docker-DCO-1.1-Signed-off-by: Victor Marmol &lt;vmarmol@google.com&gt; (github: vmarmol)
diff --git a/daemon/execdriver/native/template/default_template.go b/daemon/execdriver/native/template/default_template.go
@@ -26,6 +26,11 @@ func New() *libcontainer.Container {
 			"NET_ADMIN":      false,
 			"MKNOD":          true,
 			"SYSLOG":         false,
+			"SETUID":         true,
+			"SETGID":         true,
+			"CHOWN":          true,
+			"NET_RAW":        true,
+			"DAC_OVERRIDE":   true,
 		},
 		Namespaces: map[string]bool{
 			"NEWNS":  true,
diff --git a/pkg/libcontainer/security/capabilities/capabilities.go b/pkg/libcontainer/security/capabilities/capabilities.go
@@ -7,32 +7,34 @@ import (
 	"github.com/syndtr/gocapability/capability"
 )
 
-// DropCapabilities drops capabilities for the current process based
-// on the container's configuration.
+const allCapabilityTypes = capability.CAPS | capability.BOUNDS
+
+// DropCapabilities drops all capabilities for the current process expect those specified in the container configuration.
 func DropCapabilities(container *libcontainer.Container) error {
-	if drop := getCapabilitiesMask(container); len(drop) > 0 {
-		c, err := capability.NewPid(os.Getpid())
-		if err != nil {
-			return err
-		}
-		c.Unset(capability.CAPS|capability.BOUNDS, drop...)
+	c, err := capability.NewPid(os.Getpid())
+	if err != nil {
+		return err
+	}
 
-		if err := c.Apply(capability.CAPS | capability.BOUNDS); err != nil {
-			return err
-		}
+	keep := getEnabledCapabilities(container)
+	c.Clear(allCapabilityTypes)
+	c.Set(allCapabilityTypes, keep...)
+
+	if err := c.Apply(allCapabilityTypes); err != nil {
+		return err
 	}
 	return nil
 }
 
-// getCapabilitiesMask returns the specific cap mask values for the libcontainer types
-func getCapabilitiesMask(container *libcontainer.Container) []capability.Cap {
-	drop := []capability.Cap{}
+// getCapabilitiesMask returns the capabilities that should not be dropped by the container.
+func getEnabledCapabilities(container *libcontainer.Container) []capability.Cap {
+	keep := []capability.Cap{}
 	for key, enabled := range container.CapabilitiesMask {
-		if !enabled {
+		if enabled {
 			if c := libcontainer.GetCapability(key); c != nil {
-				drop = append(drop, c.Value)
+				keep = append(keep, c.Value)
 			}
 		}
 	}
-	return drop
+	return keep
 }
diff --git a/pkg/libcontainer/types.go b/pkg/libcontainer/types.go
@@ -55,6 +55,11 @@ var (
 		{Key: "MAC_ADMIN", Value: capability.CAP_MAC_ADMIN},
 		{Key: "NET_ADMIN", Value: capability.CAP_NET_ADMIN},
 		{Key: "SYSLOG", Value: capability.CAP_SYSLOG},
+		{Key: "SETUID", Value: capability.CAP_SETUID},
+		{Key: "SETGID", Value: capability.CAP_SETGID},
+		{Key: "CHOWN", Value: capability.CAP_CHOWN},
+		{Key: "NET_RAW", Value: capability.CAP_NET_RAW},
+		{Key: "DAC_OVERRIDE", Value: capability.CAP_DAC_OVERRIDE},
 	}
 )
 

Original file line number	Diff line number	Diff line change
`@@ -55,6 +55,11 @@ var (`
`55`	`55`	`{Key: "MAC_ADMIN", Value: capability.CAP_MAC_ADMIN},`
`56`	`56`	`{Key: "NET_ADMIN", Value: capability.CAP_NET_ADMIN},`
`57`	`57`	`{Key: "SYSLOG", Value: capability.CAP_SYSLOG},`
	`58`	`+ {Key: "SETUID", Value: capability.CAP_SETUID},`
	`59`	`+ {Key: "SETGID", Value: capability.CAP_SETGID},`
	`60`	`+ {Key: "CHOWN", Value: capability.CAP_CHOWN},`
	`61`	`+ {Key: "NET_RAW", Value: capability.CAP_NET_RAW},`
	`62`	`+ {Key: "DAC_OVERRIDE", Value: capability.CAP_DAC_OVERRIDE},`
`58`	`63`	`}`
`59`	`64`	`)`
`60`	`65`