Merge pull request #15298 from pweil-/allow-chroot

openshift-merge-robot · web-flow · commit 79c395045418 · 2017-09-18T11:46:49.000-07:00
Automatic merge from submit-queue (batch tested with PRs 15834, 16321, 16353, 15298, 15433) allow sys_chroot cap on SCCs Removes the requirement to drop chroot. @smarterclayton
diff --git a/pkg/build/controller/strategy/sti.go b/pkg/build/controller/strategy/sti.go
@@ -33,7 +33,6 @@ var DefaultDropCaps = []string{
 	"MKNOD",
 	"SETGID",
 	"SETUID",
-	"SYS_CHROOT",
 }
 
 // CreateBuildPod creates a pod that will execute the STI build
diff --git a/pkg/build/controller/strategy/sti_test.go b/pkg/build/controller/strategy/sti_test.go
@@ -130,7 +130,7 @@ func testSTICreateBuildPod(t *testing.T, rootAllowed bool) {
 		if v.Name == buildapi.AllowedUIDs && v.Value == "1-" {
 			foundAllowedUIDs = true
 		}
-		if v.Name == buildapi.DropCapabilities && v.Value == "KILL,MKNOD,SETGID,SETUID,SYS_CHROOT" {
+		if v.Name == buildapi.DropCapabilities && v.Value == "KILL,MKNOD,SETGID,SETUID" {
 			foundDropCaps = true
 		}
 	}
diff --git a/pkg/cmd/server/bootstrappolicy/securitycontextconstraints.go b/pkg/cmd/server/bootstrappolicy/securitycontextconstraints.go
@@ -205,7 +205,7 @@ func GetBootstrapSecurityContextConstraints(sccNameToAdditionalGroups map[string
 				Type: securityapi.SupplementalGroupsStrategyRunAsAny,
 			},
 			// drops unsafe caps
-			RequiredDropCapabilities: []kapi.Capability{"KILL", "MKNOD", "SYS_CHROOT", "SETUID", "SETGID"},
+			RequiredDropCapabilities: []kapi.Capability{"KILL", "MKNOD", "SETUID", "SETGID"},
 		},
 		// SecurityContextConstraintsAnyUID allows no host access and allocates SELinux.
 		{
@@ -234,7 +234,7 @@ func GetBootstrapSecurityContextConstraints(sccNameToAdditionalGroups map[string
 			// prefer the anyuid SCC over ones that force a uid
 			Priority: &securityContextConstraintsAnyUIDPriority,
 			// drops unsafe caps
-			RequiredDropCapabilities: []kapi.Capability{"MKNOD", "SYS_CHROOT"},
+			RequiredDropCapabilities: []kapi.Capability{"MKNOD"},
 		},
 		// SecurityContextConstraintsHostNetwork allows host network and host ports
 		{
@@ -266,7 +266,7 @@ func GetBootstrapSecurityContextConstraints(sccNameToAdditionalGroups map[string
 				Type: securityapi.SupplementalGroupsStrategyMustRunAs,
 			},
 			// drops unsafe caps
-			RequiredDropCapabilities: []kapi.Capability{"KILL", "MKNOD", "SYS_CHROOT", "SETUID", "SETGID"},
+			RequiredDropCapabilities: []kapi.Capability{"KILL", "MKNOD", "SETUID", "SETGID"},
 		},
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -33,7 +33,6 @@ var DefaultDropCaps = []string{`
`33`	`33`	`"MKNOD",`
`34`	`34`	`"SETGID",`
`35`	`35`	`"SETUID",`
`36`		`- "SYS_CHROOT",`
`37`	`36`	`}`
`38`	`37`
`39`	`38`	`// CreateBuildPod creates a pod that will execute the STI build`
Original file line number	Diff line number	Diff line change
`@@ -130,7 +130,7 @@ func testSTICreateBuildPod(t *testing.T, rootAllowed bool) {`
`130`	`130`	`if v.Name == buildapi.AllowedUIDs && v.Value == "1-" {`
`131`	`131`	`foundAllowedUIDs = true`
`132`	`132`	`}`
`133`		`- if v.Name == buildapi.DropCapabilities && v.Value == "KILL,MKNOD,SETGID,SETUID,SYS_CHROOT" {`
	`133`	`+ if v.Name == buildapi.DropCapabilities && v.Value == "KILL,MKNOD,SETGID,SETUID" {`
`134`	`134`	`foundDropCaps = true`
`135`	`135`	`}`
`136`	`136`	`}`