Skip to content

Set ambient capabilities where supported #1086

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
mrunalp merged 1 commit into from
Sep 28, 2016
Merged

Set ambient capabilities where supported #1086

mrunalp merged 1 commit into from
Sep 28, 2016

Conversation

@justincormack
Copy link
Contributor

@justincormack justincormack commented Sep 28, 2016

Since Linux 4.3 ambient capabilities are available. If set these allow unprivileged child
processes to inherit capabilities, while at present there is no means to set capabilities
on non root processes, other than via filesystem capabilities which are not usually
supported in image formats.

With ambient capabilities non root processes can be given capabilities as well, and so
the main reason to use root in containers goes away, and capabilities work as expected.

The code falls back to the existing behaviour if ambient capabilities are not supported.

Signed-off-by: Justin Cormack [email protected]

@justincormack
Set ambient capabilities where supported
4e179bd 
Since Linux 4.3 ambient capabilities are available. If set these allow unprivileged child
processes to inherit capabilities, while at present there is no means to set capabilities
on non root processes, other than via filesystem capabilities which are not usually
supported in image formats.

With ambient capabilities non root processes can be given capabilities as well, and so
the main reason to use root in containers goes away, and capabilities work as expected.

The code falls back to the existing behaviour if ambient capabilities are not supported.

Signed-off-by: Justin Cormack <[email protected]>
@justincormack justincormack mentioned this pull request Sep 28, 2016
Closed
@justincormack
Copy link
Contributor Author

justincormack commented Sep 28, 2016

cc @mrunalp @crosbymichael

@justincormack justincormack mentioned this pull request Sep 28, 2016
Merged
@justincormack
Copy link
Contributor Author

justincormack commented Sep 28, 2016

Docker PR moby/moby#26979 but I don't think any decisions about whether to reduce capabilities for non root users affect runc these are just policy.

@mrunalp
Copy link
Contributor

mrunalp commented Sep 28, 2016

Looks fine. I'll test it out and then ack it :)

@crosbymichael
Copy link
Member

crosbymichael commented Sep 28, 2016
edited by caniszczyk
Loading

LGTM

Approved with PullApprove

1 similar comment
@mrunalp
Copy link
Contributor

mrunalp commented Sep 28, 2016
edited by caniszczyk
Loading

LGTM

Approved with PullApprove

@mrunalp mrunalp merged commit b3833a0 into opencontainers:master Sep 28, 2016
@justincormack justincormack deleted the ambient branch September 28, 2016 17:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

status/0-triage

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@justincormack @mrunalp @crosbymichael @GordonTheTurtle