Ko learns about Linux capabilities

Signed-off-by: Nick Zavaritsky <[email protected]>

Author: mejedi

integration_test.sh

@@ -96,6 +96,23 @@ for app in foo bar ; do
 done
 popd || exit 1
 
+echo "9. Linux capabilities."
+pushd test/build-configs || exit 1
+# run as non-root user with net_bind_service cap granted
+docker_run_opts="--user 1 --cap-add=net_bind_service"
+RESULT="$(GO111MODULE=on GOFLAGS="" ../../ko build --local ./caps/cmd | grep "$FILTER" | xargs -I% docker run $docker_run_opts %)"
+if [[ "$RESULT" != "No capabilities" ]]; then
+  echo "Test FAILED. Saw '$RESULT' but expected 'No capabilities'. Docker 'cap-add' must have no effect unless matching capabilities are granted to the file." && exit 1
+fi
+# build with a different config requesting net_bind_service file capability
+RESULT_WITH_FILE_CAPS="$(KO_CONFIG_PATH=caps.ko.yaml GO111MODULE=on GOFLAGS="" ../../ko build --local ./caps/cmd | grep "$FILTER" | xargs -I% docker run $docker_run_opts %)"
+if [[ "$RESULT_WITH_FILE_CAPS" !=  "Has capabilities"* ]]; then
+  echo "Test FAILED. Saw '$RESULT_WITH_FILE_CAPS' but expected 'Has capabilities'. Docker 'cap-add' must work when matching capabilities are granted to the file." && exit 1
+else
+  echo "Test PASSED"
+fi
+popd || exit 1
+
 popd || exit 1
 popd || exit 1
 

pkg/build/config.go

@@ -92,4 +92,8 @@ type Config struct {
 	// Gcflags      StringArray `yaml:",omitempty"`
 	// ModTimestamp string      `yaml:"mod_timestamp,omitempty"`
 	// GoBinary     string      `yaml:",omitempty"`
+
+	// extension: Linux capabilities to enable on the executable, applies
+	// to Linux targets.
+	LinuxCapabilities FlagArray `yaml:"linux_capabilities,omitempty"`
 }

pkg/build/gobuild.go

@@ -39,6 +39,7 @@ import (
 	"github.com/google/go-containerregistry/pkg/v1/tarball"
 	"github.com/google/go-containerregistry/pkg/v1/types"
 	"github.com/google/ko/internal/sbom"
+	"github.com/google/ko/pkg/caps"
 	specsv1 "github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/sigstore/cosign/v2/pkg/oci"
 	ocimutate "github.com/sigstore/cosign/v2/pkg/oci/mutate"
@@ -486,7 +487,7 @@ func appFilename(importpath string) string {
 // owner: BUILTIN/Users group: BUILTIN/Users ($sddlValue="O:BUG:BU")
 const userOwnerAndGroupSID = "AQAAgBQAAAAkAAAAAAAAAAAAAAABAgAAAAAABSAAAAAhAgAAAQIAAAAAAAUgAAAAIQIAAA=="
 
-func tarBinary(name, binary string, platform *v1.Platform) (*bytes.Buffer, error) {
+func tarBinary(name, binary string, platform *v1.Platform, opts *layerOptions) (*bytes.Buffer, error) {
 	buf := bytes.NewBuffer(nil)
 	tw := tar.NewWriter(buf)
 	defer tw.Close()
@@ -533,13 +534,21 @@ func tarBinary(name, binary string, platform *v1.Platform) (*bytes.Buffer, error
 		// Use a fixed Mode, so that this isn't sensitive to the directory and umask
 		// under which it was created. Additionally, windows can only set 0222,
 		// 0444, or 0666, none of which are executable.
-		Mode: 0555,
+		Mode:       0555,
+		PAXRecords: map[string]string{},
 	}
-	if platform.OS == "windows" {
+	switch platform.OS {
+	case "windows":
 		// This magic value is for some reason needed for Windows to be
 		// able to execute the binary.
-		header.PAXRecords = map[string]string{
-			"MSWINDOWS.rawsd": userOwnerAndGroupSID,
+		header.PAXRecords["MSWINDOWS.rawsd"] = userOwnerAndGroupSID
+	case "linux":
+		if opts.linuxCapabilities != nil {
+			xattr, err := opts.linuxCapabilities.ToXattrBytes()
+			if err != nil {
+				return nil, fmt.Errorf("caps.FileCaps.ToXattrBytes: %w", err)
+			}
+			header.PAXRecords["SCHILY.xattr.security.capability"] = string(xattr)
 		}
 	}
 	// write the header to the tarball archive
@@ -826,7 +835,8 @@ func (g *gobuild) buildOne(ctx context.Context, refStr string, base v1.Image, pl
 		return nil, fmt.Errorf("base image platform %q does not match desired platforms %v", platform, g.platformMatcher.platforms)
 	}
 	// Do the build into a temporary file.
-	file, err := g.build(ctx, ref.Path(), g.dir, *platform, g.configForImportPath(ref.Path()))
+	config := g.configForImportPath(ref.Path())
+	file, err := g.build(ctx, ref.Path(), g.dir, *platform, config)
 	if err != nil {
 		return nil, fmt.Errorf("build: %w", err)
 	}
@@ -862,11 +872,24 @@ func (g *gobuild) buildOne(ctx context.Context, refStr string, base v1.Image, pl
 	appFileName := appFilename(ref.Path())
 	appPath := path.Join(appDir, appFileName)
 
+	var lo layerOptions
+	lo.linuxCapabilities, err = caps.NewFileCaps(config.LinuxCapabilities...)
+	if err != nil {
+		return nil, fmt.Errorf("linux_capabilities: %w", err)
+	}
+
 	miss := func() (v1.Layer, error) {
-		return buildLayer(appPath, file, platform, layerMediaType)
+		return buildLayer(appPath, file, platform, layerMediaType, &lo)
 	}
 
-	binaryLayer, err := g.cache.get(ctx, file, miss)
+	var binaryLayer v1.Layer
+	switch {
+	case lo.linuxCapabilities != nil:
+		log.Printf("Some options prevent us from using layer cache")
+		binaryLayer, err = miss()
+	default:
+		binaryLayer, err = g.cache.get(ctx, file, miss)
+	}
 	if err != nil {
 		return nil, fmt.Errorf("cache.get(%q): %w", file, err)
 	}
@@ -946,9 +969,14 @@ func (g *gobuild) buildOne(ctx context.Context, refStr string, base v1.Image, pl
 	return si, nil
 }
 
-func buildLayer(appPath, file string, platform *v1.Platform, layerMediaType types.MediaType) (v1.Layer, error) {
+// layerOptions captures additional options to apply when authoring layer
+type layerOptions struct {
+	linuxCapabilities *caps.FileCaps
+}
+
+func buildLayer(appPath, file string, platform *v1.Platform, layerMediaType types.MediaType, opts *layerOptions) (v1.Layer, error) {
 	// Construct a tarball with the binary and produce a layer.
-	binaryLayerBuf, err := tarBinary(appPath, file, platform)
+	binaryLayerBuf, err := tarBinary(appPath, file, platform, opts)
 	if err != nil {
 		return nil, fmt.Errorf("tarring binary: %w", err)
 	}

test/build-configs/.ko.yaml

@@ -26,3 +26,6 @@ builds:
   flags:
   - -toolexec
   - go
+- id: caps-app
+  dir: ./caps
+  main: ./cmd

test/build-configs/caps.ko.yaml

@@ -0,0 +1,19 @@
+# Copyright 2024 ko Build Authors All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+builds:
+- id: caps-app-with-caps
+  dir: ./caps
+  main: ./cmd
+  linux_capabilities: net_bind_service chown

test/build-configs/caps/cmd/main.go

@@ -0,0 +1,50 @@
+// Copyright 2024 ko Build Authors All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//    http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package main
+
+import (
+	"fmt"
+	"io/ioutil"
+	"os"
+	"strconv"
+	"strings"
+)
+
+func permittedCaps() (uint64, error) {
+	data, err := ioutil.ReadFile("/proc/self/status")
+	if err != nil {
+		return 0, err
+	}
+	const prefix = "CapPrm:"
+	for _, line := range strings.Split(string(data), "\n") {
+		if strings.HasPrefix(line, prefix) {
+			return strconv.ParseUint(strings.TrimSpace(line[len(prefix):]), 16, 64)
+		}
+	}
+	return 0, fmt.Errorf("didn't find %#v in /proc/self/status", prefix)
+}
+
+func main() {
+	caps, err := permittedCaps()
+	if err != nil {
+		fmt.Println(err)
+		os.Exit(1)
+	}
+	if caps == 0 {
+		fmt.Println("No capabilities")
+	} else {
+		fmt.Printf("Has capabilities (%x)\n", caps)
+	}
+}

test/build-configs/caps/go.mod

@@ -0,0 +1,17 @@
+// Copyright 2024 ko Build Authors All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//    http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+module example.com/caps
+
+go 1.16