alt-orchestra/talos
1
0
Fork 0
Code Issues Pull Requests Actions 27 Packages Projects Releases Wiki Activity

fix: don't enable 'no new privs' on the system level

Browse Source 
This breaks some pods which specifically drop everything but gain
capabilities back via file capabilities (e.g. `nginx-ingress`).

Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
This commit is contained in:
Andrey Smirnov 2021-10-06 21:43:14 +03:00
parent 423861cf9f
commit 66a1579ea7
No known key found for this signature in database
GPG Key ID: 7B26396447AB6DFD
1 changed files with 0 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
internal/app/machined/pkg/runtime/v1alpha1/v1alpha1_sequencer_tasks.go
View File

@ -257,16 +257,6 @@ func DropCapabilities(seq runtime.Sequence, data interface{}) (runtime.TaskExecu
return fmt.Errorf("error setting secbits: %w", err)
}
// Set PR_SET_NO_NEW_PRIVS to limit setuid and similar privilege raising techniques.
// See https://www.kernel.org/doc/html/v5.10/userspace-api/no_new_privs.html.
if _, _, err := syscall.AllThreadsSyscall6(syscall.SYS_PRCTL, unix.PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0, 0); err != 0 {
if errors.Is(err, syscall.EOPNOTSUPP) {
logger.Printf("no_new_privs skipped, as Talos is built with CGo")
} else {
return fmt.Errorf("error setting no new privs: %w", err)
}
}
// Drop capabilities from the bounding set effectively disabling it for all forked processes,
// but keep them for PID 1.
droppedCapabilities := []cap.Value{