Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

drivers/exec: Restore 0.8 capabilities #5728

Merged
merged 7 commits into from
May 29, 2019
Merged

drivers/exec: Restore 0.8 capabilities #5728

merged 7 commits into from
May 29, 2019

Conversation

notnoop
Copy link
Contributor

@notnoop notnoop commented May 20, 2019
edited
Loading

Nomad 0.9 incidentally set effective capabilities that is higher than
what's expected of a nobody process, and what's set in 0.8.

This change restores the capabilities to ones used in Nomad 0.8.

The capabilities impact is non-trivial. Some operations (e.g. mount/shutdown) seems to check for effective uid so by default nobody user wouldn't be doing much damage. On the other hand, other operations seem to succeed, e.g. binding to privileged ports as nobody.

Some capabilities are dangerous: CAP_DAC_OVERRIDE allowed processes to read and manipulate any accessible paths bypassing file permission checks. Restoring proper permisisons, unmasked two tests that didn't have permissions set correctly.

drivers/exec: Restore 0.8 capabilities
82611af 
Nomad 0.9 incidentally set effective capabilities that is higher than
what's expected of a `nobody` process, and what's set in 0.8.

This change restores the capabilities to ones used in Nomad 0.9.
notnoop
notnoop commented May 20, 2019
View reviewed changes
drivers/shared/executor/executor_linux.go
)

// initialize the allCaps var with all capabilities available on the system
func init() {
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I chose to avoid using an initializer here. It's only used once at launching executor container (and a executor process only launches a single container now), and we don't need to initialize it in main nomad/logmon/etc process.

@schmichael
Copy link
Member

Oops, don't forget changelog entry

@notnoop
Copy link
Contributor Author

notnoop commented May 21, 2019

So noticed that tests are failing and I'm failing to create some containers unexpectedly; so will dig in and request another review.

@notnoop notnoop force-pushed the restore-08-caps branch from 54232c0 to 1a6454d Compare May 24, 2019 18:11
@notnoop notnoop force-pushed the restore-08-caps branch from 2c430f2 to a1414bd Compare May 24, 2019 21:07
schmichael
schmichael reviewed May 24, 2019
View reviewed changes
Copy link
Member

@schmichael schmichael left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like some tests are still failing.

drivers/shared/executor/executor_linux.go Show resolved Hide resolved
@notnoop notnoop force-pushed the restore-08-caps branch from 1aad4c6 to 6217d50 Compare May 25, 2019 02:38
@notnoop
Copy link
Contributor Author

notnoop commented May 25, 2019

@schmichael Oops - I updated tests and they are passing now.

@notnoop notnoop merged commit 86a6569 into master May 29, 2019
notnoop pushed a commit that referenced this pull request Jun 4, 2019
changelog GH-5728
50fc86a
nilium added a commit to nilium/ecks-bops-packages that referenced this pull request Jun 5, 2019
@nilium
nomad: update to 0.9.2.
7bb1b86 
Nomad 0.9.2 addresses CVE-2019-12618 (hashicorp/nomad#5728).

Removes yarn build error -- no longer required as the assets are
vendored, so it's possible to build this on i686.

Removes nonvidia patch. The changes are upstream in 0.9.2.
@schmichael schmichael mentioned this pull request Jun 5, 2019
Closed
@nilium nilium mentioned this pull request Jun 5, 2019
Closed
the-maldridge pushed a commit to void-linux/void-packages that referenced this pull request Jun 8, 2019
@nilium @the-maldridge
nomad: update to 0.9.2.
7e5854f 
Nomad 0.9.2 addresses CVE-2019-12618 (hashicorp/nomad#5728).

Removes yarn build error -- no longer required as the assets are
vendored, so it's possible to build this on i686.

Removes nonvidia patch. The changes are upstream in 0.9.2.

Closes: #12169 [via git-merge-pr]
@notnoop notnoop deleted the restore-08-caps branch June 8, 2019 22:36
@ccakes ccakes mentioned this pull request Jun 12, 2019
Open
@github-actions
Copy link

github-actions bot commented Feb 9, 2023

I'm going to lock this pull request because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active contributions.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Feb 9, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@schmichael schmichael schmichael approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@notnoop @schmichael