From 6d3ab13a4d896d9f4cac46836ca4193de9545f49 Mon Sep 17 00:00:00 2001 From: Kyle Harding Date: Thu, 5 May 2022 11:02:23 -0400 Subject: [PATCH] Check each cap explicitly against the permitted vector Privileged containers do not list each cap by name, instead they lead with =eip and selectively remove caps with cap_foo_bar-eip. Instead we can use the --has-p flag of capsh to check for the permitted cap. Signed-off-by: Kyle Harding --- bash_functions.sh | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/bash_functions.sh b/bash_functions.sh index 79469ae..38264ee 100644 --- a/bash_functions.sh +++ b/bash_functions.sh @@ -7,11 +7,11 @@ fix_capabilities() { # Current: cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap=ep # FTL can also use CAP_NET_ADMIN and CAP_SYS_NICE. If we try to set them when they haven't been explicitly enabled, FTL will not start. Test for them first: - /sbin/capsh '==' --print | grep "Current:" | grep -q cap_chown && CAP_STR+=',CAP_CHOWN' - /sbin/capsh '==' --print | grep "Current:" | grep -q cap_net_bind_service && CAP_STR+=',CAP_NET_BIND_SERVICE' - /sbin/capsh '==' --print | grep "Current:" | grep -q cap_net_raw && CAP_STR+=',CAP_NET_RAW' - /sbin/capsh '==' --print | grep "Current:" | grep -q cap_net_admin && CAP_STR+=',CAP_NET_ADMIN' || DHCP_READY='false' - /sbin/capsh '==' --print | grep "Current:" | grep -q cap_sys_nice && CAP_STR+=',CAP_SYS_NICE' + /sbin/capsh --has-p=cap_chown && CAP_STR+=',CAP_CHOWN' + /sbin/capsh --has-p=cap_net_bind_service && CAP_STR+=',CAP_NET_BIND_SERVICE' + /sbin/capsh --has-p=cap_net_raw && CAP_STR+=',CAP_NET_RAW' + /sbin/capsh --has-p=cap_net_admin && CAP_STR+=',CAP_NET_ADMIN' || DHCP_READY='false' + /sbin/capsh --has-p=cap_sys_nice && CAP_STR+=',CAP_SYS_NICE' if [[ ${CAP_STR} ]]; then # We have the (some of) the above caps available to us - apply them to pihole-FTL