// FinalizeNamespace drops the caps, sets the correct user // and working dir, and closes any leaky file descriptors // before execing the command inside the namespace func FinalizeNamespace(container *libcontainer.Container) error { if err := system.CloseFdsFrom(3); err != nil { return fmt.Errorf("close open file descriptors %s", err) } // drop capabilities in bounding set before changing user if err := capabilities.DropBoundingSet(container); err != nil { return fmt.Errorf("drop bounding set %s", err) } // preserve existing capabilities while we change users if err := system.SetKeepCaps(); err != nil { return fmt.Errorf("set keep caps %s", err) } if err := SetupUser(container.User); err != nil { return fmt.Errorf("setup user %s", err) } if err := system.ClearKeepCaps(); err != nil { return fmt.Errorf("clear keep caps %s", err) } // drop all other capabilities if err := capabilities.DropCapabilities(container); err != nil { return fmt.Errorf("drop capabilities %s", err) } if container.WorkingDir != "" { if err := system.Chdir(container.WorkingDir); err != nil { return fmt.Errorf("chdir to %s %s", container.WorkingDir, err) } } return nil }
func finalizeNamespace(args *InitArgs) error { if err := utils.CloseExecFrom(3); err != nil { return err } // We use the native drivers default template so that things like caps are consistent // across both drivers container := template.New() if !args.Privileged { // drop capabilities in bounding set before changing user if err := capabilities.DropBoundingSet(container.Capabilities); err != nil { return fmt.Errorf("drop bounding set %s", err) } // preserve existing capabilities while we change users if err := system.SetKeepCaps(); err != nil { return fmt.Errorf("set keep caps %s", err) } } if err := namespaces.SetupUser(args.User); err != nil { return fmt.Errorf("setup user %s", err) } if !args.Privileged { if err := system.ClearKeepCaps(); err != nil { return fmt.Errorf("clear keep caps %s", err) } var ( adds []string drops []string ) if args.CapAdd != "" { adds = strings.Split(args.CapAdd, ":") } if args.CapDrop != "" { drops = strings.Split(args.CapDrop, ":") } caps, err := execdriver.TweakCapabilities(container.Capabilities, adds, drops) if err != nil { return err } // drop all other capabilities if err := capabilities.DropCapabilities(caps); err != nil { return fmt.Errorf("drop capabilities %s", err) } } if err := setupWorkingDirectory(args); err != nil { return err } return nil }
// FinalizeNamespace drops the caps, sets the correct user // and working dir, and closes any leaky file descriptors // before execing the command inside the namespace func FinalizeNamespace(container *libcontainer.Config) error { // Ensure that all non-standard fds we may have accidentally // inherited are marked close-on-exec so they stay out of the // container if err := utils.CloseExecFrom(3); err != nil { return fmt.Errorf("close open file descriptors %s", err) } // drop capabilities in bounding set before changing user if err := capabilities.DropBoundingSet(container.Capabilities); err != nil { return fmt.Errorf("drop bounding set %s", err) } // preserve existing capabilities while we change users if err := system.SetKeepCaps(); err != nil { return fmt.Errorf("set keep caps %s", err) } if err := SetupUser(container.User); err != nil { return fmt.Errorf("setup user %s", err) } if err := system.ClearKeepCaps(); err != nil { return fmt.Errorf("clear keep caps %s", err) } // drop all other capabilities if err := capabilities.DropCapabilities(container.Capabilities); err != nil { return fmt.Errorf("drop capabilities %s", err) } if container.WorkingDir != "" { if err := system.Chdir(container.WorkingDir); err != nil { return fmt.Errorf("chdir to %s %s", container.WorkingDir, err) } } return nil }
func dropCaps() (err error) { // Drop capabilities except those in the whitelist, from https://github.com/docker/docker/blob/master/daemon/execdriver/native/template/default_template.go cape := capabilities.DropBoundingSet([]string{ "CHOWN", "DAC_OVERRIDE", "FSETID", "FOWNER", //"MKNOD", //"NET_RAW", //"SETGID", //"SETUID", "SETFCAP", "SETPCAP", "NET_BIND_SERVICE", "SYS_CHROOT", "KILL", "AUDIT_WRITE", }) if cape != nil { panic(cape) } return nil }
func DropBoundingSet(container *libcontainer.Config) error { return capabilities.DropBoundingSet(container.Capabilities) }