coder
diff --git a/‎.github/workflows/ci.yaml
Lines changed: 3 additions & 3 deletions b/‎.github/workflows/ci.yaml
Lines changed: 3 additions & 3 deletions
diff --git a/‎.github/workflows/scorecard.yml
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/scorecard.yml
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/security.yaml
Lines changed: 3 additions & 3 deletions b/‎.github/workflows/security.yaml
Lines changed: 3 additions & 3 deletions
diff --git a/‎agent/agentexec/cli_linux.go
Lines changed: 62 additions & 13 deletions b/‎agent/agentexec/cli_linux.go
Lines changed: 62 additions & 13 deletions
diff --git a/‎agent/agentexec/cli_linux_test.go
Lines changed: 81 additions & 2 deletions b/‎agent/agentexec/cli_linux_test.go
Lines changed: 81 additions & 2 deletions
diff --git a/‎cli/testdata/coder_templates_init_--help.golden
Lines changed: 1 addition & 1 deletion b/‎cli/testdata/coder_templates_init_--help.golden
Lines changed: 1 addition & 1 deletion
diff --git a/‎docs/admin/templates/extending-templates/docker-in-workspaces.md
Lines changed: 1 addition & 1 deletion b/‎docs/admin/templates/extending-templates/docker-in-workspaces.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎docs/admin/templates/managing-templates/devcontainers/add-devcontainer.md
Lines changed: 4 additions & 4 deletions b/‎docs/admin/templates/managing-templates/devcontainers/add-devcontainer.md
Lines changed: 4 additions & 4 deletions
diff --git a/‎docs/reference/cli/templates_init.md
Lines changed: 3 additions & 3 deletions b/‎docs/reference/cli/templates_init.md
Lines changed: 3 additions & 3 deletions
@@ -188,7 +188,7 @@ jobs:
 
       # Check for any typos
       - name: Check for typos
-        uses: crate-ci/typos@b74202f74b4346efdbce7801d187ec57b266bac8 # v1.27.3
+        uses: crate-ci/typos@2872c382bb9668d4baa5eade234dcbc0048ca2cf # v1.28.2
         with:
           config: .github/workflows/typos.toml
 
@@ -540,7 +540,7 @@ jobs:
     timeout-minutes: 25
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+        uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
         with:
           egress-policy: audit
 
@@ -1146,7 +1146,7 @@ jobs:
           version: "2.2.1"
 
       - name: Get Cluster Credentials
-        uses: google-github-actions/get-gke-credentials@206d64b64b0eba0a6e2f25113d044c31776ca8d6 # v2.2.2
+        uses: google-github-actions/get-gke-credentials@9025e8f90f2d8e0c3dafc3128cc705a26d992a6a # v2.3.0
         with:
           cluster_name: dogfood-v2
           location: us-central1-a
 
@@ -47,6 +47,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@f09c1c0a94de965c15400f5634aa42fac8fb8f88 # v3.27.5
+        uses: github/codeql-action/upload-sarif@aa578102511db1f4524ed59b8cc2bae4f6e88195 # v3.27.6
         with:
           sarif_file: results.sarif
@@ -38,7 +38,7 @@ jobs:
         uses: ./.github/actions/setup-go
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@f09c1c0a94de965c15400f5634aa42fac8fb8f88 # v3.27.5
+        uses: github/codeql-action/init@aa578102511db1f4524ed59b8cc2bae4f6e88195 # v3.27.6
         with:
           languages: go, javascript
 
@@ -48,7 +48,7 @@ jobs:
           rm Makefile
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@f09c1c0a94de965c15400f5634aa42fac8fb8f88 # v3.27.5
+        uses: github/codeql-action/analyze@aa578102511db1f4524ed59b8cc2bae4f6e88195 # v3.27.6
 
       - name: Send Slack notification on failure
         if: ${{ failure() }}
@@ -144,7 +144,7 @@ jobs:
           severity: "CRITICAL,HIGH"
 
       - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@f09c1c0a94de965c15400f5634aa42fac8fb8f88 # v3.27.5
+        uses: github/codeql-action/upload-sarif@aa578102511db1f4524ed59b8cc2bae4f6e88195 # v3.27.6
         with:
           sarif_file: trivy-results.sarif
           category: "Trivy"
 
@@ -9,12 +9,14 @@ import (
 	"os"
 	"os/exec"
 	"runtime"
+	"slices"
 	"strconv"
 	"strings"
 	"syscall"
 
 	"golang.org/x/sys/unix"
 	"golang.org/x/xerrors"
+	"kernel.org/pub/linux/libs/security/libcap/cap"
 )
 
 // CLI runs the agent-exec command. It should only be called by the cli package.
@@ -48,6 +50,14 @@ func CLI() error {
 		return xerrors.Errorf("no exec command provided %+v", os.Args)
 	}
 
+	if *oom == unset {
+		// If an explicit oom score isn't set, we use the default.
+		*oom, err = defaultOOMScore()
+		if err != nil {
+			return xerrors.Errorf("get default oom score: %w", err)
+		}
+	}
+
 	if *nice == unset {
 		// If an explicit nice score isn't set, we use the default.
 		*nice, err = defaultNiceScore()
@@ -56,36 +66,62 @@ func CLI() error {
 		}
 	}
 
-	if *oom == unset {
-		// If an explicit oom score isn't set, we use the default.
-		*oom, err = defaultOOMScore()
-		if err != nil {
-			return xerrors.Errorf("get default oom score: %w", err)
-		}
+	// We drop effective caps prior to setting dumpable so that we limit the
+	// impact of someone attempting to hijack the process (i.e. with a debugger)
+	// to take advantage of the capabilities of the agent process. We encourage
+	// users to set cap_net_admin on the agent binary for improved networking
+	// performance and doing so results in the process having its SET_DUMPABLE
+	// attribute disabled (meaning we cannot adjust the oom score).
+	err = dropEffectiveCaps()
+	if err != nil {
+		printfStdErr("failed to drop effective caps: %v", err)
 	}
 
-	err = unix.Setpriority(unix.PRIO_PROCESS, 0, *nice)
+	// Set dumpable to 1 so that we can adjust the oom score. If the process
+	// doesn't have capabilities or has an suid/sgid bit set, this is already
+	// set.
+	err = unix.Prctl(unix.PR_SET_DUMPABLE, 1, 0, 0, 0)
 	if err != nil {
-		// We alert the user instead of failing the command since it can be difficult to debug
-		// for a template admin otherwise. It's quite possible (and easy) to set an
-		// inappriopriate value for niceness.
-		printfStdErr("failed to adjust niceness to %d for cmd %+v: %v", *nice, args, err)
+		printfStdErr("failed to set dumpable: %v", err)
 	}
 
 	err = writeOOMScoreAdj(*oom)
 	if err != nil {
 		// We alert the user instead of failing the command since it can be difficult to debug
 		// for a template admin otherwise. It's quite possible (and easy) to set an
 		// inappriopriate value for oom_score_adj.
-		printfStdErr("failed to adjust oom score to %d for cmd %+v: %v", *oom, args, err)
+		printfStdErr("failed to adjust oom score to %d for cmd %+v: %v", *oom, execArgs(os.Args), err)
+	}
+
+	// Set dumpable back to 0 just to be safe. It's not inherited for execve anyways.
+	err = unix.Prctl(unix.PR_SET_DUMPABLE, 0, 0, 0, 0)
+	if err != nil {
+		printfStdErr("failed to unset dumpable: %v", err)
+	}
+
+	err = unix.Setpriority(unix.PRIO_PROCESS, 0, *nice)
+	if err != nil {
+		// We alert the user instead of failing the command since it can be difficult to debug
+		// for a template admin otherwise. It's quite possible (and easy) to set an
+		// inappriopriate value for niceness.
+		printfStdErr("failed to adjust niceness to %d for cmd %+v: %v", *nice, args, err)
 	}
 
 	path, err := exec.LookPath(args[0])
 	if err != nil {
 		return xerrors.Errorf("look path: %w", err)
 	}
 
-	return syscall.Exec(path, args, os.Environ())
+	// Remove environment variables specific to the agentexec command. This is
+	// especially important for environments that are attempting to develop Coder in Coder.
+	env := os.Environ()
+	env = slices.DeleteFunc(env, func(e string) bool {
+		return strings.HasPrefix(e, EnvProcPrioMgmt) ||
+			strings.HasPrefix(e, EnvProcOOMScore) ||
+			strings.HasPrefix(e, EnvProcNiceScore)
+	})
+
+	return syscall.Exec(path, args, env)
 }
 
 func defaultNiceScore() (int, error) {
@@ -151,3 +187,16 @@ func execArgs(args []string) []string {
 func printfStdErr(format string, a ...any) {
 	_, _ = fmt.Fprintf(os.Stderr, "coder-agent: %s\n", fmt.Sprintf(format, a...))
 }
+
+func dropEffectiveCaps() error {
+	proc := cap.GetProc()
+	err := proc.ClearFlag(cap.Effective)
+	if err != nil {
+		return xerrors.Errorf("clear effective caps: %w", err)
+	}
+	err = proc.SetProc()
+	if err != nil {
+		return xerrors.Errorf("set proc: %w", err)
+	}
+	return nil
+}
@@ -10,6 +10,7 @@ import (
 	"os"
 	"os/exec"
 	"path/filepath"
+	"slices"
 	"strconv"
 	"strings"
 	"syscall"
@@ -18,7 +19,9 @@ import (
 
 	"github.com/stretchr/testify/require"
 	"golang.org/x/sys/unix"
+	"golang.org/x/xerrors"
 
+	"github.com/coder/coder/v2/agent/agentexec"
 	"github.com/coder/coder/v2/testutil"
 )
 
@@ -36,6 +39,32 @@ func TestCLI(t *testing.T) {
 		requireNiceScore(t, cmd.Process.Pid, 12)
 	})
 
+	t.Run("FiltersEnv", func(t *testing.T) {
+		ctx := testutil.Context(t, testutil.WaitMedium)
+		cmd, path := cmd(ctx, t, 123, 12)
+		cmd.Env = append(cmd.Env, fmt.Sprintf("%s=true", agentexec.EnvProcPrioMgmt))
+		cmd.Env = append(cmd.Env, fmt.Sprintf("%s=123", agentexec.EnvProcOOMScore))
+		cmd.Env = append(cmd.Env, fmt.Sprintf("%s=12", agentexec.EnvProcNiceScore))
+		// Ensure unrelated environment variables are preserved.
+		cmd.Env = append(cmd.Env, "CODER_TEST_ME_AGENTEXEC=true")
+		err := cmd.Start()
+		require.NoError(t, err)
+		go cmd.Wait()
+		waitForSentinel(ctx, t, cmd, path)
+
+		env := procEnv(t, cmd.Process.Pid)
+		hasExecEnvs := slices.ContainsFunc(
+			env,
+			func(e string) bool {
+				return strings.HasPrefix(e, agentexec.EnvProcPrioMgmt) ||
+					strings.HasPrefix(e, agentexec.EnvProcOOMScore) ||
+					strings.HasPrefix(e, agentexec.EnvProcNiceScore)
+			})
+		require.False(t, hasExecEnvs, "expected environment variables to be filtered")
+		userEnv := slices.Contains(env, "CODER_TEST_ME_AGENTEXEC=true")
+		require.True(t, userEnv, "expected user environment variables to be preserved")
+	})
+
 	t.Run("Defaults", func(t *testing.T) {
 		ctx := testutil.Context(t, testutil.WaitMedium)
 		cmd, path := cmd(ctx, t, 0, 0)
@@ -50,6 +79,32 @@ func TestCLI(t *testing.T) {
 		requireOOMScore(t, cmd.Process.Pid, expectedOOM)
 		requireNiceScore(t, cmd.Process.Pid, expectedNice)
 	})
+
+	t.Run("Capabilities", func(t *testing.T) {
+		testdir := filepath.Dir(TestBin)
+		capDir := filepath.Join(testdir, "caps")
+		err := os.Mkdir(capDir, 0o755)
+		require.NoError(t, err)
+		bin := buildBinary(capDir)
+		// Try to set capabilities on the binary. This should work fine in CI but
+		// it's possible some developers may be working in an environment where they don't have the necessary permissions.
+		err = setCaps(t, bin, "cap_net_admin")
+		if os.Getenv("CI") != "" {
+			require.NoError(t, err)
+		} else if err != nil {
+			t.Skipf("unable to set capabilities for test: %v", err)
+		}
+		ctx := testutil.Context(t, testutil.WaitMedium)
+		cmd, path := binCmd(ctx, t, bin, 123, 12)
+		err = cmd.Start()
+		require.NoError(t, err)
+		go cmd.Wait()
+
+		waitForSentinel(ctx, t, cmd, path)
+		// This is what we're really testing, a binary with added capabilities requires setting dumpable.
+		requireOOMScore(t, cmd.Process.Pid, 123)
+		requireNiceScore(t, cmd.Process.Pid, 12)
+	})
 }
 
 func requireNiceScore(t *testing.T, pid int, score int) {
@@ -94,7 +149,7 @@ func waitForSentinel(ctx context.Context, t *testing.T, cmd *exec.Cmd, path stri
 	}
 }
 
-func cmd(ctx context.Context, t *testing.T, oom, nice int) (*exec.Cmd, string) {
+func binCmd(ctx context.Context, t *testing.T, bin string, oom, nice int) (*exec.Cmd, string) {
 	var (
 		args = execArgs(oom, nice)
 		dir  = t.TempDir()
@@ -103,7 +158,7 @@ func cmd(ctx context.Context, t *testing.T, oom, nice int) (*exec.Cmd, string) {
 
 	args = append(args, "sh", "-c", fmt.Sprintf("touch %s && sleep 10m", file))
 	//nolint:gosec
-	cmd := exec.CommandContext(ctx, TestBin, args...)
+	cmd := exec.CommandContext(ctx, bin, args...)
 
 	// We set this so we can also easily kill the sleep process the shell spawns.
 	cmd.SysProcAttr = &syscall.SysProcAttr{
@@ -127,6 +182,10 @@ func cmd(ctx context.Context, t *testing.T, oom, nice int) (*exec.Cmd, string) {
 	return cmd, file
 }
 
+func cmd(ctx context.Context, t *testing.T, oom, nice int) (*exec.Cmd, string) {
+	return binCmd(ctx, t, TestBin, oom, nice)
+}
+
 func expectedOOMScore(t *testing.T) int {
 	t.Helper()
 
@@ -145,6 +204,15 @@ func expectedOOMScore(t *testing.T) int {
 	return 998
 }
 
+// procEnv returns the environment variables for a given process.
+func procEnv(t *testing.T, pid int) []string {
+	t.Helper()
+
+	env, err := os.ReadFile(fmt.Sprintf("/proc/%d/environ", pid))
+	require.NoError(t, err)
+	return strings.Split(string(env), "\x00")
+}
+
 func expectedNiceScore(t *testing.T) int {
 	t.Helper()
 
@@ -171,3 +239,14 @@ func execArgs(oom int, nice int) []string {
 	execArgs = append(execArgs, "--")
 	return execArgs
 }
+
+func setCaps(t *testing.T, bin string, caps ...string) error {
+	t.Helper()
+
+	setcap := fmt.Sprintf("sudo -n setcap %s=ep %s", strings.Join(caps, ", "), bin)
+	out, err := exec.CommandContext(context.Background(), "sh", "-c", setcap).CombinedOutput()
+	if err != nil {
+		return xerrors.Errorf("setcap %q (%s): %w", setcap, out, err)
+	}
+	return nil
+}
@@ -6,7 +6,7 @@ USAGE:
   Get started with a templated template.
 
 OPTIONS:
-      --id aws-devcontainer|aws-linux|aws-windows|azure-linux|devcontainer-docker|devcontainer-kubernetes|do-linux|docker|gcp-devcontainer|gcp-linux|gcp-vm-container|gcp-windows|kubernetes|nomad-docker|scratch
+      --id aws-devcontainer|aws-linux|aws-windows|azure-linux|digitalocean-linux|docker|docker-devcontainer|gcp-devcontainer|gcp-linux|gcp-vm-container|gcp-windows|kubernetes|kubernetes-devcontainer|nomad-docker|scratch
           Specify a given example template by ID.
 
 ———
 
@@ -148,7 +148,7 @@ nodes. Refer to sysbox's
 to ensure your nodes are compliant.
 
 To get started with `envbox` check out the
-[starter template](https://github.com/coder/coder/tree/main/examples/templates/envbox)
+[starter template](https://github.com/coder/coder/tree/main/examples/templates/kubernetes-envbox)
 or visit the [repo](https://github.com/coder/envbox).
 
 ### Authenticating with a Private Registry
 
@@ -38,7 +38,7 @@ choose a template from the
 1. Use the `template init` command to initialize your choice of image:
 
    ```shell
-   coder template init --id devcontainer-kubernetes
+   coder template init --id kubernetes-devcontainer
    ```
 
    A list of available templates is shown in the
@@ -47,7 +47,7 @@ choose a template from the
 1. `cd` into the directory and push the template to your Coder deployment:
 
    ```shell
-   cd devcontainer-kubernetes && coder templates push
+   cd kubernetes-devcontainer && coder templates push
    ```
 
    You can also edit the files or make changes to the files before you push them
@@ -122,8 +122,8 @@ their development environments:
 
 | Template                                                                                                            | Description                                                                                                                                                         |
 | ------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| [Docker dev containers](https://github.com/coder/coder/tree/main/examples/templates/devcontainer-docker)            | Docker provisions a development container.                                                                                                                          |
-| [Kubernetes dev containers](https://github.com/coder/coder/tree/main/examples/templates/devcontainer-kubernetes)    | Provisions a development container on the Kubernetes cluster.                                                                                                       |
+| [Docker dev containers](https://github.com/coder/coder/tree/main/examples/templates/docker-devcontainer)            | Docker provisions a development container.                                                                                                                          |
+| [Kubernetes dev containers](https://github.com/coder/coder/tree/main/examples/templates/kubernetes-devcontainer)    | Provisions a development container on the Kubernetes cluster.                                                                                                       |
 | [Google Compute Engine dev container](https://github.com/coder/coder/tree/main/examples/templates/gcp-devcontainer) | Runs a development container inside a single GCP instance. It also mounts the Docker socket from the VM inside the container to enable Docker inside the workspace. |
 | [AWS EC2 dev container](https://github.com/coder/coder/tree/main/examples/templates/aws-devcontainer)               | Runs a development container inside a single EC2 instance. It also mounts the Docker socket from the VM inside the container to enable Docker inside the workspace. |