Check each cap explicitly against the permitted vector
Privileged containers do not list each cap by name, instead they lead with =eip and selectively remove caps with cap_foo_bar-eip. Instead we can use the --has-p flag of capsh to check for the permitted cap. Signed-off-by: Kyle Harding <kyle@balena.io>
This commit is contained in:
parent
ad9d7cb710
commit
6d3ab13a4d
|
@ -7,11 +7,11 @@ fix_capabilities() {
|
||||||
# Current: cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap=ep
|
# Current: cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap=ep
|
||||||
# FTL can also use CAP_NET_ADMIN and CAP_SYS_NICE. If we try to set them when they haven't been explicitly enabled, FTL will not start. Test for them first:
|
# FTL can also use CAP_NET_ADMIN and CAP_SYS_NICE. If we try to set them when they haven't been explicitly enabled, FTL will not start. Test for them first:
|
||||||
|
|
||||||
/sbin/capsh '==' --print | grep "Current:" | grep -q cap_chown && CAP_STR+=',CAP_CHOWN'
|
/sbin/capsh --has-p=cap_chown && CAP_STR+=',CAP_CHOWN'
|
||||||
/sbin/capsh '==' --print | grep "Current:" | grep -q cap_net_bind_service && CAP_STR+=',CAP_NET_BIND_SERVICE'
|
/sbin/capsh --has-p=cap_net_bind_service && CAP_STR+=',CAP_NET_BIND_SERVICE'
|
||||||
/sbin/capsh '==' --print | grep "Current:" | grep -q cap_net_raw && CAP_STR+=',CAP_NET_RAW'
|
/sbin/capsh --has-p=cap_net_raw && CAP_STR+=',CAP_NET_RAW'
|
||||||
/sbin/capsh '==' --print | grep "Current:" | grep -q cap_net_admin && CAP_STR+=',CAP_NET_ADMIN' || DHCP_READY='false'
|
/sbin/capsh --has-p=cap_net_admin && CAP_STR+=',CAP_NET_ADMIN' || DHCP_READY='false'
|
||||||
/sbin/capsh '==' --print | grep "Current:" | grep -q cap_sys_nice && CAP_STR+=',CAP_SYS_NICE'
|
/sbin/capsh --has-p=cap_sys_nice && CAP_STR+=',CAP_SYS_NICE'
|
||||||
|
|
||||||
if [[ ${CAP_STR} ]]; then
|
if [[ ${CAP_STR} ]]; then
|
||||||
# We have the (some of) the above caps available to us - apply them to pihole-FTL
|
# We have the (some of) the above caps available to us - apply them to pihole-FTL
|
||||||
|
|
Loading…
Reference in New Issue