From 5c0f636d2f99bbabaa939b89b31aa5cde6831578 Mon Sep 17 00:00:00 2001
From: Nalin Dahyabhai <nalin@redhat.com>
Date: Fri, 16 Jul 2021 16:50:51 -0400
Subject: [PATCH] Dockerfile: run `rpm --setcaps shadow-utils` during build

Our base images don't preserve file capabilities on /usr/bin/newuidmap
and /usr/bin/newgidmap, but they do preserve setuid/setgid bits, which
grant more privileges to callers, so go ahead and restore file
capabilities during the build.

Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
---
 Dockerfile       | 1 +
 Dockerfile-dev   | 1 +
 Dockerfile.rhel7 | 1 +
 Dockerfile.rhel8 | 1 +
 4 files changed, 4 insertions(+)

diff --git a/Dockerfile b/Dockerfile
index 000bb26639..2add0695e6 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -11,6 +11,7 @@ RUN INSTALL_PKGS=" \
       " && \
     yum install -y --setopt=skip_missing_names_on_install=False $INSTALL_PKGS && \
     yum clean all
+RUN rpm --setcaps shadow-utils
 COPY --from=builder /go/src/github.com/openshift/builder/openshift-builder /usr/bin/
 COPY imagecontent/bin /usr/bin
 COPY imagecontent/etc/containers /etc/containers
diff --git a/Dockerfile-dev b/Dockerfile-dev
index db3c8c06d5..3452827927 100644
--- a/Dockerfile-dev
+++ b/Dockerfile-dev
@@ -9,6 +9,7 @@ RUN INSTALL_PKGS=" \
       " && \
     yum install -y --setopt=skip_missing_names_on_install=False ${INSTALL_PKGS} && \
     yum clean all
+RUN rpm --setcaps shadow-utils
 COPY imagecontent/bin /usr/bin
 COPY imagecontent/etc/containers /etc/containers
 COPY imagecontent/usr/share/containers /usr/share/containers
diff --git a/Dockerfile.rhel7 b/Dockerfile.rhel7
index 8a1bd40eac..d6ca5f276d 100644
--- a/Dockerfile.rhel7
+++ b/Dockerfile.rhel7
@@ -11,6 +11,7 @@ RUN INSTALL_PKGS=" \
       " && \
     yum install -y --setopt=skip_missing_names_on_install=False $INSTALL_PKGS && \
     yum clean all
+RUN rpm --setcaps shadow-utils
 COPY --from=builder /go/src/github.com/openshift/builder/openshift-builder /usr/bin/
 COPY imagecontent/bin /usr/bin
 COPY imagecontent/etc/containers /etc/containers
diff --git a/Dockerfile.rhel8 b/Dockerfile.rhel8
index 80590d8fdd..5c9474ba16 100644
--- a/Dockerfile.rhel8
+++ b/Dockerfile.rhel8
@@ -10,6 +10,7 @@ RUN INSTALL_PKGS=" \
       " && \
     yum install -y --setopt=skip_missing_names_on_install=False $INSTALL_PKGS && \
     yum clean all
+RUN rpm --setcaps shadow-utils
 COPY --from=builder /go/src/github.com/openshift/builder/openshift-builder /usr/bin/
 COPY imagecontent/bin /usr/bin
 COPY imagecontent/etc/containers /etc/containers