Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

capabilities: be more graceful in resetting ambient #4597

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

capabilities: be more graceful in resetting ambient #4597

wants to merge 1 commit into from

Conversation

evanphx
Copy link
Contributor

@evanphx evanphx commented Jan 20, 2025

Similar to when SetAmbient() can fail, runc should be graceful about ResetAmbient failing.

This functionality previously worked under gvisor, which doesn't implement ambient capabilities atm. The hard error on reset broke gvisor usage.

@evanphx evanphx force-pushed the evanphx/b-graceful-ambient branch from 64890be to 216d45c Compare January 20, 2025 03:58
@cyphar
Copy link
Member

cyphar commented Jan 20, 2025
edited
Loading

I'm not sure we can safely ignore an error from dropping caps -- in theory you shouldn't get an error in practice, but if we did fail to clear the caps then running the container at that point seems unsafe (ambient caps not being dropped properly was the cause of some very old Docker CVEs IIRC).

@evanphx
Copy link
Contributor Author

evanphx commented Jan 20, 2025

Totally understand and I'm going to work on this on the gvisor side. If you don't want to accept this, totally fine. My thinking was that if we were allowing SetAmbient through, we should allow ResetAmbient through too.

@kolyshkin
Copy link
Contributor

The reason why we warn rather than error out on SetAmbient is explained in the code, and the cause is backward compatibility concerns (old gocapability package used to ignore any errors). We didn't have such thing with ResetAmbient (in fact, we did not use ResetAmbient until recently).

But I wonder which error are you getting from gvisor, @evanphx? If that's EINVAL, it should actually be ignored as kernels older than 4.3 did not support ambient capabilities and thus EINVAL should be treated as "ambient caps are not supported, we warn about it but continue".

@evanphx
Copy link
Contributor Author

evanphx commented Jan 20, 2025

It is EINVAL, yeah. Looks like the ResetAmbient code path doesn't accommodate any errors currently, so I'd presume that pre 4.3 is broken atm too.

@kolyshkin
Copy link
Contributor

It is EINVAL, yeah. Looks like the ResetAmbient code path doesn't accommodate any errors currently, so I'd presume that pre 4.3 is broken atm too.

Can you change this to warn (or ignore) on EINVAL only? I think such change belongs here (rather than moby/sys/capability) as in there it is a new API and I'd like it to be a tad lower-level (so a user can actually see ambient is not supported).

@evanphx
Copy link
Contributor Author

evanphx commented Jan 24, 2025

No problem!

@evanphx
capabilities: be more graceful in resetting ambient
17087f7 
Similar to when SetAmbient() can fail, runc should be graceful about
ResetAmbient failing.

This functionality previously worked under gvisor, which doesn't
implement ambient capabilities atm. The hard error on reset broke gvisor
usage.

Signed-off-by: Evan Phoenix <evan@phx.io>
@evanphx evanphx force-pushed the evanphx/b-graceful-ambient branch from 216d45c to 17087f7 Compare January 24, 2025 19:59
@evanphx
Copy link
Contributor Author

evanphx commented Jan 24, 2025

@kolyshkin Went ahead and didn't warn on EINVAL for now, especially because the code below will warn when it tries to actually set up the specific caps anyway.

kolyshkin
kolyshkin approved these changes Jan 24, 2025
View reviewed changes
Copy link
Contributor

@kolyshkin kolyshkin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just thought we can skip setting Ambient entirely upon getting EINVAL from ResetAmbient, as this can only mean one thing -- ambient caps are not supported.

OTOH warnings from SetAmbient might be nice to have, so maybe it's fine as it is.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kolyshkin kolyshkin kolyshkin approved these changes

At least 2 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@evanphx @cyphar @kolyshkin