From 640ddd6df98ae57d8f8a6155bb876fe2b696e90b Mon Sep 17 00:00:00 2001 From: Alberto Faria Date: Wed, 17 Apr 2024 21:13:32 +0100 Subject: [PATCH] create: Forbid --privileged There should be no reason to use it with crun-vm and it causes problems with additional devices being mounted into the container and crun-vm trying to pass those through to the guest. Signed-off-by: Alberto Faria --- src/commands/create/mod.rs | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/src/commands/create/mod.rs b/src/commands/create/mod.rs index 64fee69..799040b 100644 --- a/src/commands/create/mod.rs +++ b/src/commands/create/mod.rs @@ -33,6 +33,24 @@ pub fn create(args: &liboci_cli::Create, raw_args: &[impl AsRef]) -> Resu let mut spec = oci_spec::runtime::Spec::load(&config_path)?; let original_root_path: Utf8PathBuf = spec.root_path()?.canonicalize()?.try_into()?; // ensure absolute + if let Some(process) = spec.process().as_ref() { + if let Some(capabilities) = process.capabilities().as_ref() { + fn any_is_cap_sys_admin(caps: &Option) -> bool { + caps.as_ref() + .is_some_and(|set| set.contains(&oci_spec::runtime::Capability::SysAdmin)) + } + + ensure!( + !any_is_cap_sys_admin(capabilities.bounding()) + && !any_is_cap_sys_admin(capabilities.effective()) + && !any_is_cap_sys_admin(capabilities.inheritable()) + && !any_is_cap_sys_admin(capabilities.permitted()) + && !any_is_cap_sys_admin(capabilities.ambient()), + "crun-vm should not be used with --privileged" + ); + } + } + let runtime_env = RuntimeEnv::current(&spec, &original_root_path)?; let custom_options = CustomOptions::from_spec(&spec, runtime_env)?;