Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

capabilities: always set ambient and inheritable #7820

Merged
merged 1 commit into from
Sep 30, 2020
Merged

capabilities: always set ambient and inheritable #7820

merged 1 commit into from
Sep 30, 2020

Conversation

giuseppe
Copy link
Member

change capabilities handling to reflect what docker does.

Bounding: set to caplist
Inheritable: set to caplist
Effective: if uid != 0 then clear; else set to caplist
Permitted: if uid != 0 then clear; else set to caplist
Ambient: clear

Signed-off-by: Giuseppe Scrivano [email protected]

@openshift-ci-robot
Copy link
Collaborator

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: giuseppe

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci-robot openshift-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Sep 29, 2020
@giuseppe giuseppe mentioned this pull request Sep 29, 2020
Closed
@giuseppe giuseppe force-pushed the fix-capabilities-not-root branch from d151c0c to 4954178 Compare September 29, 2020 10:14
@giuseppe
Copy link
Member Author

the test failure seems correct to me, why would we allow chown to work with -u USER and no caps added?

		setup := podmanTest.RunTopContainer("testctr")
		setup.WaitWithDefaultTimeout()
		Expect(setup.ExitCode()).To(Equal(0))

		session = podmanTest.Podman([]string{"exec", "-u", "testuser", "testctr", "touch", "testfile"})
		session.WaitWithDefaultTimeout()
		Expect(session.ExitCode()).To(Equal(0))

@giuseppe giuseppe force-pushed the fix-capabilities-not-root branch 3 times, most recently from 9eca9b2 to 8b75f22 Compare September 29, 2020 13:09
@TomSweeneyRedHat
Copy link
Member

LGTM
assuming happy tests

@giuseppe giuseppe force-pushed the fix-capabilities-not-root branch 2 times, most recently from cbf84a1 to cbb0f21 Compare September 29, 2020 17:12
@rhatdan
Copy link
Member

rhatdan commented Sep 29, 2020

/lgtm
/hold

@openshift-ci-robot openshift-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Sep 29, 2020
@openshift-ci-robot openshift-ci-robot added the lgtm Indicates that a PR is ready to be merged. label Sep 29, 2020
@giuseppe giuseppe force-pushed the fix-capabilities-not-root branch from cbb0f21 to a33e3c6 Compare September 30, 2020 06:32
@openshift-ci-robot openshift-ci-robot removed the lgtm Indicates that a PR is ready to be merged. label Sep 30, 2020
@giuseppe giuseppe force-pushed the fix-capabilities-not-root branch 2 times, most recently from 65bd084 to b575e25 Compare September 30, 2020 08:39
@giuseppe
capabilities: always set ambient and inheritable
703381b 
change capabilities handling to reflect what docker does.

Bounding: set to caplist
Inheritable: set to caplist
Effective: if uid != 0 then clear; else set to caplist
Permitted: if uid != 0 then clear; else set to caplist
Ambient: clear

Signed-off-by: Giuseppe Scrivano <[email protected]>
@giuseppe giuseppe force-pushed the fix-capabilities-not-root branch from b575e25 to 703381b Compare September 30, 2020 13:25
@rhatdan
Copy link
Member

rhatdan commented Sep 30, 2020

/lgtm

@openshift-ci-robot openshift-ci-robot added the lgtm Indicates that a PR is ready to be merged. label Sep 30, 2020
@giuseppe
Copy link
Member Author

/hold

let's make sure tests are still passing :-)

@baude
Copy link
Member

baude commented Sep 30, 2020

/hold cancel

@openshift-ci-robot openshift-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Sep 30, 2020
@openshift-merge-robot openshift-merge-robot merged commit f86e01a into containers:master Sep 30, 2020
@rhatdan rhatdan mentioned this pull request Oct 1, 2020
Closed
@lsm5
Copy link
Member

lsm5 commented Oct 2, 2020

@giuseppe this likely needs to be backported to v2.1

@giuseppe
Copy link
Member Author

giuseppe commented Oct 2, 2020

backport: #7898

@github-actions github-actions bot added the locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. label Sep 24, 2023
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 24, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@rhatdan rhatdan rhatdan left review comments

Assignees

@rhatdan rhatdan

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
9 participants
@giuseppe @openshift-ci-robot @TomSweeneyRedHat @rhatdan @baude @lsm5 @vrothberg @AndrewGMorgan @openshift-merge-robot