From d9d6641a9c96f8f61e2f9960532d21e700656254 Mon Sep 17 00:00:00 2001 From: Michael Crosby Date: Thu, 2 Feb 2017 14:57:42 -0800 Subject: [PATCH] Add ambient and bounding capability support Closes #668 Signed-off-by: Michael Crosby --- config.md | 33 ++++++++++++++++++++++----------- schema/config-schema.json | 19 ++++++++++++++++--- schema/defs-linux.json | 2 +- specs-go/config.go | 12 ++++++++++-- 4 files changed, 49 insertions(+), 17 deletions(-) diff --git a/config.md b/config.md index 8925318e1..72b479fd1 100644 --- a/config.md +++ b/config.md @@ -131,8 +131,11 @@ See links for details about [mountvol](http://ss64.com/nt/mountvol.html) and [Se For Linux-based systems the process structure supports the following process specific fields: -* **`capabilities`** (array of strings, OPTIONAL) capabilities is an array that specifies Linux capabilities that can be provided to the process inside the container. +* **`capabilities`** (object, OPTIONAL) capabilities is a whitelist of capabilities for the bounding and ambient sets for Linux processes. Valid values are the strings for capabilities defined in [the man page](http://man7.org/linux/man-pages/man7/capabilities.7.html). + capabilities contains the following properties: + * **`bounding`** (array of strings, OPTIONAL) - the 'bounding' field is the whitelist of bounding capabilities that are kept for the process. + * **`ambient`** (array of strings, OPTIONAL) - the 'ambient' field is the whitelist of ambient capabilities that are kept for the process. * **`rlimits`** (array of objects, OPTIONAL) allows setting resource limits for a process inside the container. Each entry has the following structure: @@ -189,11 +192,15 @@ _Note: symbolic name for uid and gid, such as uname and gname respectively, are "apparmorProfile": "acme_secure_profile", "selinuxLabel": "system_u:system_r:svirt_lxc_net_t:s0:c124,c675", "noNewPrivileges": true, - "capabilities": [ - "CAP_AUDIT_WRITE", - "CAP_KILL", - "CAP_NET_BIND_SERVICE" - ], + "capabilities": { + "bounding": [ + "CAP_AUDIT_WRITE", + "CAP_KILL", + ], + "ambient": [ + "CAP_NET_BIND_SERVICE" + ] + }, "rlimits": [ { "type": "RLIMIT_NOFILE", @@ -443,11 +450,15 @@ Here is a full example `config.json` for reference. "TERM=xterm" ], "cwd": "/", - "capabilities": [ - "CAP_AUDIT_WRITE", - "CAP_KILL", - "CAP_NET_BIND_SERVICE" - ], + "capabilities": { + "bounding": [ + "CAP_AUDIT_WRITE", + "CAP_KILL", + ], + "ambient": [ + "CAP_NET_BIND_SERVICE" + ] + }, "rlimits": [ { "type": "RLIMIT_CORE", diff --git a/schema/config-schema.json b/schema/config-schema.json index db2146cb5..ad6cce300 100644 --- a/schema/config-schema.json +++ b/schema/config-schema.json @@ -135,9 +135,22 @@ }, "capabilities": { "id": "https://opencontainers.org/schema/bundle/process/linux/capabilities", - "type": "array", - "items": { - "$ref": "defs-linux.json#/definitions/Capability" + "type": "object", + "properties": { + "bounding": { + "id": "https://opencontainers.org/schema/bundle/process/linux/capabilities/bounding", + "type": "array", + "items": { + "$ref": "defs-linux.json#/definitions/Capability" + } + }, + "ambient": { + "id": "https://opencontainers.org/schema/bundle/process/linux/capabilities/ambient", + "type": "array", + "items": { + "$ref": "defs-linux.json#/definitions/Capability" + } + } } }, "apparmorProfile": { diff --git a/schema/defs-linux.json b/schema/defs-linux.json index 37a4c855b..5719a8641 100644 --- a/schema/defs-linux.json +++ b/schema/defs-linux.json @@ -78,7 +78,7 @@ } }, "Capability": { - "description": "Linux process permissions", + "description": "Linux process capabilities", "type": "string", "pattern": "^CAP_([A-Z]|_)+$" }, diff --git a/specs-go/config.go b/specs-go/config.go index 1660b776f..b274dfb80 100644 --- a/specs-go/config.go +++ b/specs-go/config.go @@ -44,8 +44,8 @@ type Process struct { // Cwd is the current working directory for the process and must be // relative to the container's root. Cwd string `json:"cwd"` - // Capabilities are Linux capabilities that are kept for the container. - Capabilities []string `json:"capabilities,omitempty" platform:"linux"` + // Capabilities are Linux capabilities that are kept for the process. + Capabilities *LinuxCapabilities `json:"capabilities,omitempty" platform:"linux"` // Rlimits specifies rlimit options to apply to the process. Rlimits []LinuxRlimit `json:"rlimits,omitempty" platform:"linux"` // NoNewPrivileges controls whether additional privileges could be gained by processes in the container. @@ -56,6 +56,14 @@ type Process struct { SelinuxLabel string `json:"selinuxLabel,omitempty" platform:"linux"` } +// LinuxCapabilities specifies the whitelist of capabilities that are kept for a process. +type LinuxCapabilities struct { + // Bounding is the bounding set of capabilities that are kept. + Bounding []string `json:"bounding,omitempty" platform:"linux"` + // Ambient are the ambient set of capabilities that are kept. + Ambient []string `json:"ambient,omitempty" platform:"linux"` +} + // Box specifies dimensions of a rectangle. Used for specifying the size of a console. type Box struct { // Height is the vertical dimension of a box.