feat(containers): prevent non-admin users from running containers using the host namespace pid (#3970)

* feat(containers): Prevent non-admin users from running containers using the host namespace pid * feat(containers): add rbac check for swarm stack too * feat(containers): remove forgotten conflict * feat(containers): init EnableHostNamespaceUse to true and return 403 on forbidden action * feat(containers): change enableHostNamespaceUse to restrictHostNamespaceUse in html * feat(settings): rename EnableHostNamespaceUse to AllowHostNamespaceForRegularUsers
2020-07-07 23:48:34 +02:00
parent b0ad212858
commit 0f58ece899
13 changed files with 95 additions and 30 deletions
--- a/api/http/handler/stacks/handler.go
+++ b/api/http/handler/stacks/handler.go
@@ -1,12 +1,13 @@
 package stacks

 import (
+	"errors"
 	"net/http"
 	"sync"

 	"github.com/gorilla/mux"
 	httperror "github.com/portainer/libhttp/error"
-	"github.com/portainer/portainer/api"
+	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/http/security"
 )

@@ -111,3 +112,30 @@ func (handler *Handler) userCanCreateStack(securityContext *security.RestrictedR
 	}
 	return false, nil
 }
+
+func (handler *Handler) userIsAdminOrEndpointAdmin(user *portainer.User, endpointID portainer.EndpointID) (bool, error) {
+	isAdmin := user.Role == portainer.AdministratorRole
+
+	rbacExtension, err := handler.ExtensionService.Extension(portainer.RBACExtension)
+	if err != nil && err != portainer.ErrObjectNotFound {
+		return false, errors.New("Unable to verify if RBAC extension is loaded")
+	}
+
+	endpointResourceAccess := false
+	_, ok := user.EndpointAuthorizations[portainer.EndpointID(endpointID)][portainer.EndpointResourcesAccess]
+	if ok {
+		endpointResourceAccess = true
+	}
+
+	if rbacExtension != nil {
+		if isAdmin || endpointResourceAccess {
+			return true, nil
+		}
+	} else {
+		if isAdmin {
+			return true, nil
+		}
+	}
+
+	return false, nil
+}