blackroad-os/backroad
9
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(containers): prevent non-admin users from running containers using the host namespace pid (#3970)

Browse Source 
* feat(containers): Prevent non-admin users from running containers using the host namespace pid

* feat(containers): add rbac check for swarm stack too

* feat(containers): remove forgotten conflict

* feat(containers): init EnableHostNamespaceUse to true and return 403 on forbidden action

* feat(containers): change enableHostNamespaceUse to restrictHostNamespaceUse in html

* feat(settings): rename EnableHostNamespaceUse to AllowHostNamespaceForRegularUsers
This commit is contained in:
Maxime Bajeux
2020-07-07 23:48:34 +02:00
committed by GitHub
parent b0ad212858
commit 0f58ece899
13 changed files with 95 additions and 30 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
api/http/handler/stacks/create_compose_stack.go
View File

@@ -1,7 +1,6 @@
package stacks
import (
"errors"
"net/http"
"path"
"regexp"
@@ -331,29 +330,12 @@ func (handler *Handler) deployComposeStack(config *composeStackDeploymentConfig)
return err
}
rbacExtension, err := handler.ExtensionService.Extension(portainer.RBACExtension)
if err != nil && err != portainer.ErrObjectNotFound {
return errors.New("Unable to verify if RBAC extension is loaded")
isAdminOrEndpointAdmin, err := handler.userIsAdminOrEndpointAdmin(config.user, config.endpoint.ID)
if err != nil {
return err
}
endpointResourceAccess := false
_, ok := config.user.EndpointAuthorizations[portainer.EndpointID(config.endpoint.ID)][portainer.EndpointResourcesAccess]
if ok {
endpointResourceAccess = true
}
mustBeChecked := false
if rbacExtension != nil {
if !config.isAdmin && !endpointResourceAccess {
mustBeChecked = true
}
} else {
if !config.isAdmin {
mustBeChecked = true
}
}
if (!settings.AllowBindMountsForRegularUsers || !settings.AllowPrivilegedModeForRegularUsers) && mustBeChecked {
if (!settings.AllowBindMountsForRegularUsers || !settings.AllowPrivilegedModeForRegularUsers || !settings.AllowHostNamespaceForRegularUsers) && !isAdminOrEndpointAdmin {
composeFilePath := path.Join(config.stack.ProjectPath, config.stack.EntryPoint)
stackContent, err := handler.FileService.GetFileContent(composeFilePath)