diff options
author | Anita Zhang <the.anitazha@gmail.com> | 2019-06-03 16:25:43 -0700 |
---|---|---|
committer | Lennart Poettering <lennart@poettering.net> | 2019-06-20 21:46:36 +0200 |
commit | f66ad46066a9911192f0b49eb06dae7dafc0c983 (patch) | |
tree | 12f50d541691c9ee7e9e92e23e53d9966d4ad94b /src/nspawn | |
parent | a5a4dfa1bc0078c858c250cbe6e97c0c04bf90f8 (diff) | |
download | systemd-f66ad46066a9911192f0b49eb06dae7dafc0c983.tar.gz |
nspawn: don't hard fail when setting capabilities
The OCI changes in #9762 broke a use case in which we use nspawn from
inside a container that has dropped capabilities from the bounding set
that nspawn expected to retain. In an attempt to keep OCI compliance
and support our use case, I made hard failing on setting capabilities
not in the bounding set optional (hard fail if using OCI and log only
if using nspawn cmdline).
Fixes #12539
Diffstat (limited to 'src/nspawn')
-rw-r--r-- | src/nspawn/nspawn.c | 13 |
1 files changed, 12 insertions, 1 deletions
diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c index 5079918ae1..1c0187ae5c 100644 --- a/src/nspawn/nspawn.c +++ b/src/nspawn/nspawn.c @@ -2317,7 +2317,11 @@ static int drop_capabilities(uid_t uid) { if (q.ambient == (uint64_t) -1 && ambient_capabilities_supported()) q.ambient = 0; - } else + + if (capability_quintet_mangle(&q)) + return log_error_errno(SYNTHETIC_ERRNO(EPERM), "Cannot set capabilities that are not in the current bounding set."); + + } else { q = (CapabilityQuintet) { .bounding = arg_caps_retain, .effective = uid == 0 ? arg_caps_retain : 0, @@ -2326,6 +2330,13 @@ static int drop_capabilities(uid_t uid) { .ambient = ambient_capabilities_supported() ? 0 : (uint64_t) -1, }; + /* If we're not using OCI, proceed with mangled capabilities (so we don't error out) + * in order to maintain the same behavior as systemd < 242. */ + if (capability_quintet_mangle(&q)) + log_warning("Some capabilities will not be set because they are not in the current bounding set."); + + } + return capability_quintet_enforce(&q); } |