cri-o · openshift-merge-robot · Oct 7, 2022 · Sep 19, 2022 · Sep 19, 2022 · Sep 28, 2022
@@ -13,6 +13,7 @@ wipe
 help
 h
 --absent-mount-sources-to-reject
+--add-inheritable-capabilities
 --additional-devices
 --address
 --allowed-devices

@@ -10,6 +10,7 @@ function __fish_crio_no_subcommand --description 'Test if there has been any sub
 end
 
 complete -c crio -n '__fish_crio_no_subcommand' -f -l absent-mount-sources-to-reject -r -d 'A list of paths that, when absent from the host, will cause a container creation to fail (as opposed to the current behavior of creating a directory).'
+complete -c crio -n '__fish_crio_no_subcommand' -f -l add-inheritable-capabilities -d 'Add capabilities to the inheritable set, as well as the default group of permitted, bounding and effective.'
 complete -c crio -n '__fish_crio_no_subcommand' -f -l additional-devices -r -d 'Devices to add to the containers '
 complete -c crio -n '__fish_crio_no_subcommand' -f -l allowed-devices -r -d 'Devices a user is allowed to specify with the "io.kubernetes.cri-o.Devices" allowed annotation'
 complete -c crio -n '__fish_crio_no_subcommand' -f -l apparmor-profile -r -d 'Name of the apparmor profile to be used as the runtime\'s default. This only takes effect if the user does not specify a profile via the Kubernetes Pod\'s metadata annotation.'

@@ -20,6 +20,7 @@ it later with **--config**. Global options will modify the output.'
   local -a opts
   opts=(
         '--absent-mount-sources-to-reject'
+        '--add-inheritable-capabilities'
         '--additional-devices'
         '--address'
         '--allowed-devices'

@@ -12,6 +12,7 @@ crio
 
 ```
 [--absent-mount-sources-to-reject]=[value]
+[--add-inheritable-capabilities]
 [--additional-devices]=[value]
 [--allowed-devices]=[value]
 [--apparmor-profile]=[value]
@@ -137,6 +138,8 @@ crio [GLOBAL OPTIONS] command [COMMAND OPTIONS] [ARGUMENTS...]
 
 **--absent-mount-sources-to-reject**="": A list of paths that, when absent from the host, will cause a container creation to fail (as opposed to the current behavior of creating a directory). (default: [])
 
+**--add-inheritable-capabilities**: Add capabilities to the inheritable set, as well as the default group of permitted, bounding and effective.
+
 **--additional-devices**="": Devices to add to the containers  (default: [])
 
 **--allowed-devices**="": Devices a user is allowed to specify with the "io.kubernetes.cri-o.Devices" allowed annotation (default: [/dev/fuse])

@@ -183,6 +183,10 @@ the container runtime configuration.
   ]
 ```
 
+**add_inheritable_capabilities**=true
+ Add capabilities to the inheritable set, as well as the default group of permitted, bounding and effective.
+ If capabilities are expected to work for non-root users, this option should be set.
+
 **default_sysctls**=[]
  List of default sysctls. If it is empty or commented out, only the sysctls defined in the container json file by the user/kube will be added.
 

@@ -201,6 +201,9 @@ func mergeConfig(config *libconfig.Config, ctx *cli.Context) error {
 	if ctx.IsSet("default-capabilities") {
 		config.DefaultCapabilities = StringSliceTrySplit(ctx, "default-capabilities")
 	}
+	if ctx.IsSet("add-inheritable-capabilities") {
+		config.AddInheritableCapabilities = ctx.Bool("add-inheritable-capabilities")
+	}
 	if ctx.IsSet("default-sysctls") {
 		config.DefaultSysctls = StringSliceTrySplit(ctx, "default-sysctls")
 	}
@@ -709,6 +712,12 @@ func getCrioFlags(defConf *libconfig.Config) []cli.Flag {
 			EnvVars: []string{"CONTAINER_DEFAULT_CAPABILITIES"},
 			Value:   cli.NewStringSlice(defConf.DefaultCapabilities...),
 		},
+		&cli.BoolFlag{
+			Name:    "add-inheritable-capabilities",
+			Usage:   "Add capabilities to the inheritable set, as well as the default group of permitted, bounding and effective.",
+			EnvVars: []string{"CONTAINER_ADD_INHERITABLE_CAPABILITIES"},
+			Value:   defConf.AddInheritableCapabilities,
+		},
 		&cli.StringSliceFlag{
 			Name:    "default-sysctls",
 			Usage:   "Sysctls to add to the containers",

@@ -111,7 +111,7 @@ type Container interface {
 	SpecAddNamespaces(*sandbox.Sandbox, *oci.Container, *config.Config) error
 
 	// SpecSetupCapabilities sets up the container's capabilities
-	SpecSetupCapabilities(*types.Capability, capabilities.Capabilities) error
+	SpecSetupCapabilities(*types.Capability, capabilities.Capabilities, bool) error
 
 	// PidNamespace returns the pid namespace created by SpecAddNamespaces.
 	PidNamespace() nsmgr.Namespace
@@ -574,7 +574,7 @@ func (c *container) WillRunSystemd() bool {
 	return strings.Contains(entrypoint, "/sbin/init") || (filepath.Base(entrypoint) == "systemd")
 }
 
-func (c *container) SpecSetupCapabilities(caps *types.Capability, defaultCaps capabilities.Capabilities) error {
+func (c *container) SpecSetupCapabilities(caps *types.Capability, defaultCaps capabilities.Capabilities, addInheritableCapabilities bool) error {
 	// Make sure to remove all ambient capabilities. Kubernetes is not yet ambient capabilities aware
 	// and pods expect that switching to a non-root user results in the capabilities being
 	// dropped. This should be revisited in the future.
@@ -628,6 +628,11 @@ func (c *container) SpecSetupCapabilities(caps *types.Capability, defaultCaps ca
 			if err := specgen.AddProcessCapabilityPermitted(c); err != nil {
 				return err
 			}
+			if addInheritableCapabilities {
+				if err := specgen.AddProcessCapabilityInheritable(c); err != nil {
+					return err
+				}
+			}
 		}
 	}
 	if dropAll {
@@ -644,6 +649,11 @@ func (c *container) SpecSetupCapabilities(caps *types.Capability, defaultCaps ca
 			if err := specgen.DropProcessCapabilityPermitted(c); err != nil {
 				return err
 			}
+			if addInheritableCapabilities {
+				if err := specgen.DropProcessCapabilityInheritable(c); err != nil {
+					return err
+				}
+			}
 		}
 	}
 
@@ -668,6 +678,11 @@ func (c *container) SpecSetupCapabilities(caps *types.Capability, defaultCaps ca
 		if err := specgen.AddProcessCapabilityPermitted(capPrefixed); err != nil {
 			return err
 		}
+		if addInheritableCapabilities {
+			if err := specgen.AddProcessCapabilityInheritable(capPrefixed); err != nil {
+				return err
+			}
+		}
 	}
 
 	for _, cap := range caps.DropCapabilities {
@@ -687,6 +702,11 @@ func (c *container) SpecSetupCapabilities(caps *types.Capability, defaultCaps ca
 		if err := specgen.DropProcessCapabilityPermitted(capPrefixed); err != nil {
 			return fmt.Errorf("failed to drop cap %s %v", capPrefixed, err)
 		}
+		if addInheritableCapabilities {
+			if err := specgen.DropProcessCapabilityInheritable(capPrefixed); err != nil {
+				return err
+			}
+		}
 	}
 
 	return nil

@@ -533,7 +533,7 @@ var _ = t.Describe("Container", func() {
 			var caps *types.Capability
 			serverCaps := capabilities.Default()
 
-			Expect(sut.SpecSetupCapabilities(caps, serverCaps)).To(BeNil())
+			Expect(sut.SpecSetupCapabilities(caps, serverCaps, false)).To(BeNil())
 			verifyCapValues(sut.Spec().Config.Process.Capabilities, len(serverCaps))
 		})
 		It("AddCapabilities should add capability", func() {
@@ -543,7 +543,7 @@ var _ = t.Describe("Container", func() {
 			}
 			serverCaps := []string{}
 
-			Expect(sut.SpecSetupCapabilities(caps, serverCaps)).To(BeNil())
+			Expect(sut.SpecSetupCapabilities(caps, serverCaps, false)).To(BeNil())
 			verifyCapValues(sut.Spec().Config.Process.Capabilities, len(serverCaps)+1)
 		})
 		It("DropCapabilities should drop capability", func() {
@@ -553,7 +553,7 @@ var _ = t.Describe("Container", func() {
 			}
 			serverCaps := []string{"CHOWN"}
 
-			Expect(sut.SpecSetupCapabilities(caps, serverCaps)).To(BeNil())
+			Expect(sut.SpecSetupCapabilities(caps, serverCaps, false)).To(BeNil())
 			verifyCapValues(sut.Spec().Config.Process.Capabilities, len(serverCaps)-1)
 		})
 		It("AddCapabilities ALL DropCapabilities one should drop that one", func() {
@@ -563,7 +563,7 @@ var _ = t.Describe("Container", func() {
 			}
 			serverCaps := []string{}
 
-			Expect(sut.SpecSetupCapabilities(caps, serverCaps)).To(BeNil())
+			Expect(sut.SpecSetupCapabilities(caps, serverCaps, false)).To(BeNil())
 			verifyCapValues(sut.Spec().Config.Process.Capabilities, len(capability.List())-1)
 		})
 		It("AddCapabilities one DropCapabilities ALL should add that one", func() {
@@ -573,7 +573,7 @@ var _ = t.Describe("Container", func() {
 			}
 			serverCaps := []string{}
 
-			Expect(sut.SpecSetupCapabilities(caps, serverCaps)).To(BeNil())
+			Expect(sut.SpecSetupCapabilities(caps, serverCaps, false)).To(BeNil())
 			verifyCapValues(sut.Spec().Config.Process.Capabilities, 1)
 		})
 		It("AddCapabilities ALL DropCapabilities ALL should drop all", func() {
@@ -583,7 +583,7 @@ var _ = t.Describe("Container", func() {
 			}
 			serverCaps := []string{}
 
-			Expect(sut.SpecSetupCapabilities(caps, serverCaps)).To(BeNil())
+			Expect(sut.SpecSetupCapabilities(caps, serverCaps, false)).To(BeNil())
 			verifyCapValues(sut.Spec().Config.Process.Capabilities, 0)
 		})
 		It("Invalid values should fail", func() {
@@ -592,7 +592,17 @@ var _ = t.Describe("Container", func() {
 			}
 			serverCaps := []string{}
 
-			Expect(sut.SpecSetupCapabilities(caps, serverCaps)).NotTo(BeNil())
+			Expect(sut.SpecSetupCapabilities(caps, serverCaps, false)).NotTo(BeNil())
+		})
+		It("Should add inheritable capabilities if set", func() {
+			caps := &types.Capability{
+				AddCapabilities:  []string{"CHOWN"},
+				DropCapabilities: []string{"ALL"},
+			}
+			serverCaps := []string{}
+
+			Expect(sut.SpecSetupCapabilities(caps, serverCaps, true)).To(BeNil())
+			Expect(len(sut.Spec().Config.Process.Capabilities.Inheritable)).To(Equal(1))
 		})
 	})
 })
@@ -50,7 +50,7 @@ func (s *sandbox) InitInfraContainer(serverConfig *libconfig.Config, podContaine
 	}
 
 	// Add capabilities from crio.conf if default_capabilities is defined
-	if err := s.infra.SpecSetupCapabilities(&types.Capability{}, serverConfig.DefaultCapabilities); err != nil {
+	if err := s.infra.SpecSetupCapabilities(&types.Capability{}, serverConfig.DefaultCapabilities, serverConfig.AddInheritableCapabilities); err != nil {
 		return err
 	}
 

@@ -253,6 +253,10 @@ type RuntimeConfig struct {
 	// Capabilities to add to all containers.
 	DefaultCapabilities capabilities.Capabilities `toml:"default_capabilities"`
 
+	// AddInheritableCapabilities can be set to add inheritable capabilities. They were pre-1.23 by default, and were dropped in 1.24.
+	// This can cause a regression with non-root users not getting capabilities as they previously did.
+	AddInheritableCapabilities bool `toml:"add_inheritable_capabilities"`
+
 	// Additional environment variables to set for all the
 	// containers. These are overridden if set in the
 	// container image spec or in the container runtime configuration.
@@ -794,6 +798,7 @@ func DefaultConfig() (*Config, error) {
 			LogSizeMax:                 DefaultLogSizeMax,
 			CtrStopTimeout:             defaultCtrStopTimeout,
 			DefaultCapabilities:        capabilities.Default(),
+			AddInheritableCapabilities: true,
 			LogLevel:                   "info",
 			HooksDir:                   []string{hooks.DefaultDir},
 			CDISpecDirs:                cdi.DefaultSpecDirs,

@@ -282,6 +282,11 @@ func initCrioTemplateConfig(c *Config) ([]*templateConfigValue, error) {
 			group:          crioRuntimeConfig,
 			isDefaultValue: stringSliceEqual(dc.DefaultCapabilities, c.DefaultCapabilities),
 		},
+		{
+			templateString: templateStringCrioRuntimeAddInheritableCapabilities,
+			group:          crioRuntimeConfig,
+			isDefaultValue: simpleEqual(dc.AddInheritableCapabilities, c.AddInheritableCapabilities),
+		},
 		{
 			templateString: templateStringCrioRuntimeDefaultSysctls,
 			group:          crioRuntimeConfig,
@@ -867,6 +872,12 @@ const templateStringCrioRuntimeDefaultCapabilities = `# List of default capabili
 
 `
 
+const templateStringCrioRuntimeAddInheritableCapabilities = `# Add capabilities to the inheritable set, as well as the default group of permitted, bounding and effective.
+# If capabilities are expected to work for non-root users, this option should be set.
+{{ $.Comment }}add_inheritable_capabilities = {{ .AddInheritableCapabilities }}
+
+`
+
 const templateStringCrioRuntimeDefaultSysctls = `# List of default sysctls. If it is empty or commented out, only the sysctls
 # defined in the container json file by the user/kube will be added.
 {{ $.Comment }}default_sysctls = [

@@ -434,7 +434,7 @@ func (s *Server) createSandboxContainer(ctx context.Context, ctr ctrfactory.Cont
 			specgen.SetupPrivileged(true)
 		} else {
 			capabilities := securityContext.Capabilities
-			if err := ctr.SpecSetupCapabilities(capabilities, s.config.DefaultCapabilities); err != nil {
+			if err := ctr.SpecSetupCapabilities(capabilities, s.config.DefaultCapabilities, s.config.AddInheritableCapabilities); err != nil {
 				return nil, err
 			}
 		}

@@ -695,6 +695,18 @@ function check_oci_annotation() {
 	[[ "$output" =~ 00000000002020db ]]
 }
 
+@test "ctr with add_inheritable_capabilities has inheritable capabilities" {
+	CONTAINER_ADD_INHERITABLE_CAPABILITIES=true start_crio
+	pod_id=$(crictl runp "$TESTDATA"/sandbox_config.json)
+
+	jq '	  .linux.security_context.run_as_username = "redis"' \
+		"$TESTDATA"/container_redis.json > "$newconfig"
+	ctr_id=$(crictl create "$pod_id" "$newconfig" "$TESTDATA"/sandbox_config.json)
+	crictl start "$ctr_id"
+
+	crictl exec --sync "$ctr_id" grep "CapEff:\s0000000000000000" /proc/1/status
+}
+
 @test "ctr oom" {
 	start_crio
 	pod_id=$(crictl runp "$TESTDATA"/sandbox_config.json)