capabilities: be more graceful in resetting ambient#4597
capabilities: be more graceful in resetting ambient#4597lifubang merged 1 commit intoopencontainers:mainfrom
Conversation
evanphx
force-pushed
the
evanphx/b-graceful-ambient
branch
from
64890be to
216d45c
Compare
|
I'm not sure we can safely ignore an error from dropping caps -- in theory you shouldn't get an error in practice, but if we did fail to clear the caps then running the container at that point seems unsafe (ambient caps not being dropped properly was the cause of some very old Docker CVEs IIRC). |
|
Totally understand and I'm going to work on this on the gvisor side. If you don't want to accept this, totally fine. My thinking was that if we were allowing SetAmbient through, we should allow ResetAmbient through too. |
|
The reason why we warn rather than error out on But I wonder which error are you getting from gvisor, @evanphx? If that's EINVAL, it should actually be ignored as kernels older than 4.3 did not support ambient capabilities and thus EINVAL should be treated as "ambient caps are not supported, we warn about it but continue". |
|
It is EINVAL, yeah. Looks like the ResetAmbient code path doesn't accommodate any errors currently, so I'd presume that pre 4.3 is broken atm too. |
Can you change this to warn (or ignore) on EINVAL only? I think such change belongs here (rather than moby/sys/capability) as in there it is a new API and I'd like it to be a tad lower-level (so a user can actually see ambient is not supported). |
|
No problem! |
evanphx
force-pushed
the
evanphx/b-graceful-ambient
branch
from
216d45c to
17087f7
Compare
|
@kolyshkin Went ahead and didn't warn on EINVAL for now, especially because the code below will warn when it tries to actually set up the specific caps anyway. |
kolyshkin
left a comment
kolyshkin
left a comment
There was a problem hiding this comment.
Just thought we can skip setting Ambient entirely upon getting EINVAL from ResetAmbient, as this can only mean one thing -- ambient caps are not supported.
OTOH warnings from SetAmbient might be nice to have, so maybe it's fine as it is.
Similar to when SetAmbient() can fail, runc should be graceful about ResetAmbient failing. This functionality previously worked under gvisor, which doesn't implement ambient capabilities atm. The hard error on reset broke gvisor usage. Signed-off-by: Evan Phoenix <evan@phx.io>
kolyshkin
force-pushed
the
evanphx/b-graceful-ambient
branch
from
17087f7 to
54fa0c5
Compare
|
@opencontainers/runc-maintainers PTAL |
4 participants
Similar to when SetAmbient() can fail, runc should be graceful about ResetAmbient failing.
This functionality previously worked under gvisor, which doesn't implement ambient capabilities atm. The hard error on reset broke gvisor usage.