Merge pull request #1373 from rhatdan/caps

Back by popular demand CAP_SYS_CHROOT
containers · Mar 21, 2023 · 28ebcc6 · 28ebcc6
2 parents 09a61b3 + c700408
commit 28ebcc6
Show file tree

Hide file tree

Showing 4 changed files with 21 additions and 0 deletions.
diff --git a/docs/containers.conf.5.md b/docs/containers.conf.5.md
@@ -104,6 +104,7 @@ default_capabilities = [
       "SETGID",
       "SETPCAP",
       "SETUID",
+      "SYS_CHROOT",
 ]
 ```
 

diff --git a/pkg/config/config_test.go b/pkg/config/config_test.go
@@ -361,6 +361,20 @@ image_copy_tmp_dir="storage"`
 				},
 			}
 
+			defCaps := []string{
+				"CAP_CHOWN",
+				"CAP_DAC_OVERRIDE",
+				"CAP_FOWNER",
+				"CAP_FSETID",
+				"CAP_KILL",
+				"CAP_NET_BIND_SERVICE",
+				"CAP_SETFCAP",
+				"CAP_SETGID",
+				"CAP_SETPCAP",
+				"CAP_SETUID",
+				"CAP_SYS_CHROOT",
+			}
+
 			envs := []string{
 				"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
 				"TERM=xterm",
@@ -387,6 +401,10 @@ image_copy_tmp_dir="storage"`
 			gomega.Expect(config.Engine.NumLocks).To(gomega.BeEquivalentTo(2048))
 			gomega.Expect(config.Engine.OCIRuntimes["runc"]).To(gomega.Equal(OCIRuntimeMap["runc"]))
 			gomega.Expect(config.Containers.CgroupConf).To(gomega.BeNil())
+
+			caps, _ := config.Capabilities("", nil, nil)
+			gomega.Expect(caps).Should(gomega.Equal(defCaps))
+
 			if useSystemd() {
 				gomega.Expect(config.Engine.CgroupManager).To(gomega.BeEquivalentTo("systemd"))
 			} else {

diff --git a/pkg/config/containers.conf b/pkg/config/containers.conf
@@ -68,6 +68,7 @@
 #  "SETGID",
 #  "SETPCAP",
 #  "SETUID",
+#  "SYS_CHROOT",
 #]
 
 # A list of sysctls to be set in containers by default,

diff --git a/pkg/config/default.go b/pkg/config/default.go
@@ -60,6 +60,7 @@ var (
 		"CAP_SETGID",
 		"CAP_SETPCAP",
 		"CAP_SETUID",
+		"CAP_SYS_CHROOT",
 	}
 
 	// Search these locations in which CNIPlugins can be installed.