Add support for ambient capabilities #26979
Conversation
justincormack
added
area/security
status/1-design-review
and removed
status/0-triage
labels
justincormack
force-pushed
the
ambient
branch
2 times, most recently
from
f144a8e
to
4f390fa
Compare
|
ping @tianon too |
| testRequires(c, DaemonIsLinux, ambientCapabilities) | ||
|
|
||
| // test that a non root user can gain capabilities | ||
| runCmd := exec.Command(dockerBinary, "run", "--user", "1000", "--cap-add chown", "busybox", "chown", "100", "/tmp") |
There was a problem hiding this comment.
Should we have a failing test as well, to verify that it won't work without this?
|
The test failures look like they are related to other changes in |
|
I tested this and it works fine for me 👍 |
|
@mrunalp Ambient Capabilities are available in RHEL7.3. |
|
@jeremyeder Awesome. I had only tested on RHEL 7.2 and wasn't sure about status in 7.3 |
Found some issues when working on moby#26979 which looked unrelated to that PR but may be related to other changes. Signed-off-by: Justin Cormack <[email protected]>
| to write files belonging to the root uid, for example. User namespaces | ||
| also allow capabilities to be granted to processes that are effectively | ||
| non root, but these capabilities are limited to resources created in the | ||
| user namespace, so they have limitations. |
There was a problem hiding this comment.
This now needs to be moved somewhere in the https://github.com/docker/docker.gihub.io repository (I'm ok with keeping it here as well, as that repository does not yet have docs for 1.13 it seems)
justincormack
force-pushed
the
ambient
branch
from
47c322e
to
729e0d5
Compare
Linux kernel 4.3 and later supports "ambient capabilities" which are the only way to pass capabilities to containers running as a non root uid. Previously there was no way to allow containers not running as root capabilities in a useful way. Fix moby#8460 Signed-off-by: Justin Cormack <[email protected]>
justincormack
force-pushed
the
ambient
branch
from
729e0d5
to
6acf353
Compare
|
LGTM |
|
Given that there's no docs for 1.13 yet in the https://github.com/docker/docker.gihub.io repository, I'm moving this to "merge". There'll probably be a sync with that repository in the near future. /cc @johndmulhausen @mstanleyjones |
|
I got this into the |
|
@mstanleyjones I was about to open a pull request to revert the documentation changes in this PR, but I cannot find these changes in your sync of october 10th; https://github.com/docker/docker.github.io/blob/e4bce35ac2d2963e0f52414ca98742c60e8df510/engine/security/seccomp.md Should we check if things got lost in that sync? |
|
Merged #584 which addresses @thaJeztah comment above. Thanks! |
Removes some test functions that were unused: - bridgeNfIP6tables - ambientCapabilities (added to support moby#26979, which was reverted in moby#27737) - overlay2Supported Signed-off-by: Sebastiaan van Stijn <[email protected]>
Removes some test functions that were unused: - bridgeNfIP6tables - ambientCapabilities (added to support moby#26979, which was reverted in moby#27737) - overlay2Supported Signed-off-by: Sebastiaan van Stijn <[email protected]> (cherry picked from commit c887b09) Signed-off-by: Sebastiaan van Stijn <[email protected]>
Removes some test functions that were unused: - bridgeNfIP6tables - ambientCapabilities (added to support moby#26979, which was reverted in moby#27737) - overlay2Supported Signed-off-by: Sebastiaan van Stijn <[email protected]> Signed-off-by: zach <[email protected]>
Removes some test functions that were unused: - bridgeNfIP6tables - ambientCapabilities (added to support moby#26979, which was reverted in moby#27737) - overlay2Supported Signed-off-by: Sebastiaan van Stijn <[email protected]> (cherry picked from commit c887b09) Signed-off-by: Sebastiaan van Stijn <[email protected]>
This change was reverted for docker 1.13 (see #27737)
Linux kernel 4.3 and later supports "ambient capabilities" which are the
only way to pass capabilities to containers running as a non root uid.
Previously there was no way to allow containers not running as root
capabilities in a useful way.
Fix #8460
Signed-off-by: Justin Cormack [email protected]
NOTE: actual
runcupdate was included in #27160 so this is just a docs and tests change now.NOTE: This will grant the default capabilities to containers that are run as a non root user. This might be surprising, for example we grant
cap_chownby default, so with this PRdocker run -u 1000 busybox chown 100 /tmpwill just work. We could grant fewer capabilities to containers not running as root, by default, but this might break users who expectsudo chown ...to work. In general as running as non root is strictly better than running as root, I think it is best to leave this, as the default capabilities are mostly harmless, and I am planning other patches to allow reducing the default capability set globally. Open to discussion on this.Chill Out with Ambient Capabilities