feat(containers): prevent non-admin users from running containers using the host namespace pid (#3970)

* feat(containers): Prevent non-admin users from running containers using the host namespace pid * feat(containers): add rbac check for swarm stack too * feat(containers): remove forgotten conflict * feat(containers): init EnableHostNamespaceUse to true and return 403 on forbidden action * feat(containers): change enableHostNamespaceUse to restrictHostNamespaceUse in html * feat(settings): rename EnableHostNamespaceUse to AllowHostNamespaceForRegularUsers
2020-07-07 23:48:34 +02:00
parent b0ad212858
commit 0f58ece899
13 changed files with 95 additions and 30 deletions
--- a/api/http/handler/stacks/stack_create.go
+++ b/api/http/handler/stacks/stack_create.go
@@ -156,6 +156,10 @@ func (handler *Handler) isValidStackFile(stackFileContent []byte, settings *port
 		if !settings.AllowPrivilegedModeForRegularUsers && service.Privileged == true {
 			return errors.New("privileged mode disabled for non administrator users")
 		}
+
+		if !settings.AllowHostNamespaceForRegularUsers && service.Pid == "host" {
+			return errors.New("pid host disabled for non administrator users")
+		}
 	}

 	return nil