diff --git a/Makefile b/Makefile index 819bad09ca7..ec61673f7c4 100644 --- a/Makefile +++ b/Makefile @@ -43,7 +43,7 @@ static: $(SOURCES) | $(RUNC_LINK) CGO_ENABLED=1 go build -i -tags "$(BUILDTAGS) cgo static_build" -ldflags "-w -extldflags -static -X main.gitCommit=${COMMIT} -X main.version=${VERSION}" -o contrib/cmd/recvtty/recvtty ./contrib/cmd/recvtty release: $(RUNC_LINK) | $(RUNC_LINK) - @flag_list=(seccomp selinux apparmor static ambient); \ + @flag_list=(seccomp selinux apparmor static); \ unset expression; \ for flag in "$${flag_list[@]}"; do \ expression+="' '{'',$${flag}}"; \ diff --git a/README.md b/README.md index ec9b44ed818..d36f2e56e70 100644 --- a/README.md +++ b/README.md @@ -56,7 +56,6 @@ make BUILDTAGS='seccomp apparmor' | seccomp | Syscall filtering | libseccomp | | selinux | selinux process and mount labeling | | | apparmor | apparmor profile support | libapparmor | -| ambient | ambient capability support | kernel 4.3 | ### Running the test suite diff --git a/libcontainer/capabilities_ambient.go b/libcontainer/capabilities_ambient.go deleted file mode 100644 index 50da2832fbb..00000000000 --- a/libcontainer/capabilities_ambient.go +++ /dev/null @@ -1,7 +0,0 @@ -// +build linux,ambient - -package libcontainer - -import "github.com/syndtr/gocapability/capability" - -const allCapabilityTypes = capability.CAPS | capability.BOUNDS | capability.AMBS diff --git a/libcontainer/capabilities_linux.go b/libcontainer/capabilities_linux.go index 31fd0dcf563..455509bc763 100644 --- a/libcontainer/capabilities_linux.go +++ b/libcontainer/capabilities_linux.go @@ -60,7 +60,13 @@ func (w *whitelist) dropBoundingSet() error { } // drop drops all capabilities for the current process except those specified in the whitelist. -func (w *whitelist) drop() error { +// in the case where NoNewPrivileges is set, so sudo and fs capabilities cannot be used, we can +// use ambient capabilities so that non root users will gain capabilities +func (w *whitelist) drop(nnp bool) error { + allCapabilityTypes := capability.CAPS | capability.BOUNDS + if nnp { + allCapabilityTypes |= capability.AMBS + } w.pid.Clear(allCapabilityTypes) w.pid.Set(allCapabilityTypes, w.keep...) return w.pid.Apply(allCapabilityTypes) diff --git a/libcontainer/capabilities_noambient.go b/libcontainer/capabilities_noambient.go deleted file mode 100644 index 752c4e51676..00000000000 --- a/libcontainer/capabilities_noambient.go +++ /dev/null @@ -1,7 +0,0 @@ -// +build !ambient,linux - -package libcontainer - -import "github.com/syndtr/gocapability/capability" - -const allCapabilityTypes = capability.CAPS | capability.BOUNDS diff --git a/libcontainer/init_linux.go b/libcontainer/init_linux.go index 9d5f068025f..f93be066087 100644 --- a/libcontainer/init_linux.go +++ b/libcontainer/init_linux.go @@ -141,7 +141,7 @@ func finalizeNamespace(config *initConfig) error { return err } // drop all other capabilities - if err := w.drop(); err != nil { + if err := w.drop(config.NoNewPrivileges); err != nil { return err } if config.Cwd != "" {