fix(settings): A database migration is missing for that new setting

feat(containers): prevent non-admin users from running containers using the host namespace pid (#3970 )
* feat(containers): Prevent non-admin users from running containers using the host namespace pid * feat(containers): add rbac check for swarm stack too * feat(containers): remove forgotten conflict * feat(containers): init EnableHostNamespaceUse to true and return 403 on forbidden action * feat(containers): change enableHostNamespaceUse to restrictHostNamespaceUse in html * feat(settings): rename EnableHostNamespaceUse to AllowHostNamespaceForRegularUsers
2020-07-10 01:39:32 +02:00 · 2020-07-08 09:48:34 +12:00 · 2020-07-07 10:59:33 +12:00 · 2020-07-01 09:34:43 +12:00 · 2020-06-30 17:13:37 +12:00 · 2020-06-16 17:22:51 +12:00
28 changed files with 419 additions and 133 deletions
--- a/api/bolt/migrator/migrate_dbversion22.go
+++ b/api/bolt/migrator/migrate_dbversion22.go
@@ -1,6 +1,17 @@
 package migrator

-import "github.com/portainer/portainer/api"
+import portainer "github.com/portainer/portainer/api"
+
+func (m *Migrator) updateSettingsToDBVersion23() error {
+	legacySettings, err := m.settingsService.Settings()
+	if err != nil {
+		return err
+	}
+
+	legacySettings.AllowHostNamespaceForRegularUsers = true
+
+	return m.settingsService.UpdateSettings(legacySettings)
+}

 func (m *Migrator) updateTagsToDBVersion23() error {
 	tags, err := m.tagService.Tags()
--- a/api/bolt/migrator/migrator.go
+++ b/api/bolt/migrator/migrator.go
@@ -2,7 +2,7 @@ package migrator

 import (
 	"github.com/boltdb/bolt"
-	"github.com/portainer/portainer/api"
+	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/bolt/endpoint"
 	"github.com/portainer/portainer/api/bolt/endpointgroup"
 	"github.com/portainer/portainer/api/bolt/endpointrelation"
@@ -309,7 +309,7 @@ func (m *Migrator) Migrate() error {
 		}
 	}

-	// Portainer 1.24.0
+	// Portainer 1.24.1-dev
 	if m.currentDBVersion < 23 {
 		err := m.updateTagsToDBVersion23()
 		if err != nil {
@@ -320,6 +320,11 @@ func (m *Migrator) Migrate() error {
 		if err != nil {
 			return err
 		}
+
+		err = m.updateSettingsToDBVersion23()
+		if err != nil {
+			return err
+		}
 	}

 	return m.versionService.StoreDBVersion(portainer.DBVersion)
--- a/api/cmd/portainer/main.go
+++ b/api/cmd/portainer/main.go
@@ -9,7 +9,7 @@ import (

 	"github.com/portainer/portainer/api/chisel"

-	"github.com/portainer/portainer/api"
+	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/bolt"
 	"github.com/portainer/portainer/api/cli"
 	"github.com/portainer/portainer/api/cron"
@@ -274,6 +274,7 @@ func initSettings(settingsService portainer.SettingsService, flags *portainer.CL
 			AllowPrivilegedModeForRegularUsers: true,
 			AllowVolumeBrowserForRegularUsers:  false,
 			EnableHostManagementFeatures:       false,
+			AllowHostNamespaceForRegularUsers:  true,
 			SnapshotInterval:                   *flags.SnapshotInterval,
 			EdgeAgentCheckinInterval:           portainer.DefaultEdgeAgentCheckinIntervalInSeconds,
 		}
--- a/api/http/handler/settings/settings_public.go
+++ b/api/http/handler/settings/settings_public.go
@@ -6,19 +6,21 @@ import (

 	httperror "github.com/portainer/libhttp/error"
 	"github.com/portainer/libhttp/response"
-	"github.com/portainer/portainer/api"
+	portainer "github.com/portainer/portainer/api"
 )

 type publicSettingsResponse struct {
-	LogoURL                            string                         `json:"LogoURL"`
-	AuthenticationMethod               portainer.AuthenticationMethod `json:"AuthenticationMethod"`
-	AllowBindMountsForRegularUsers     bool                           `json:"AllowBindMountsForRegularUsers"`
-	AllowPrivilegedModeForRegularUsers bool                           `json:"AllowPrivilegedModeForRegularUsers"`
-	AllowVolumeBrowserForRegularUsers  bool                           `json:"AllowVolumeBrowserForRegularUsers"`
-	EnableHostManagementFeatures       bool                           `json:"EnableHostManagementFeatures"`
-	EnableEdgeComputeFeatures          bool                           `json:"EnableEdgeComputeFeatures"`
-	ExternalTemplates                  bool                           `json:"ExternalTemplates"`
-	OAuthLoginURI                      string                         `json:"OAuthLoginURI"`
+	LogoURL                               string                         `json:"LogoURL"`
+	AuthenticationMethod                  portainer.AuthenticationMethod `json:"AuthenticationMethod"`
+	AllowBindMountsForRegularUsers        bool                           `json:"AllowBindMountsForRegularUsers"`
+	AllowPrivilegedModeForRegularUsers    bool                           `json:"AllowPrivilegedModeForRegularUsers"`
+	AllowVolumeBrowserForRegularUsers     bool                           `json:"AllowVolumeBrowserForRegularUsers"`
+	EnableHostManagementFeatures          bool                           `json:"EnableHostManagementFeatures"`
+	EnableEdgeComputeFeatures             bool                           `json:"EnableEdgeComputeFeatures"`
+	ExternalTemplates                     bool                           `json:"ExternalTemplates"`
+	OAuthLoginURI                         string                         `json:"OAuthLoginURI"`
+	DisableStackManagementForRegularUsers bool                           `json:"DisableStackManagementForRegularUsers"`
+	AllowHostNamespaceForRegularUsers     bool                           `json:"AllowHostNamespaceForRegularUsers"`
 }

 // GET request on /api/settings/public
@@ -36,12 +38,14 @@ func (handler *Handler) settingsPublic(w http.ResponseWriter, r *http.Request) *
 		AllowVolumeBrowserForRegularUsers:  settings.AllowVolumeBrowserForRegularUsers,
 		EnableHostManagementFeatures:       settings.EnableHostManagementFeatures,
 		EnableEdgeComputeFeatures:          settings.EnableEdgeComputeFeatures,
+		AllowHostNamespaceForRegularUsers:  settings.AllowHostNamespaceForRegularUsers,
 		ExternalTemplates:                  false,
 		OAuthLoginURI: fmt.Sprintf("%s?response_type=code&client_id=%s&redirect_uri=%s&scope=%s&prompt=login",
 			settings.OAuthSettings.AuthorizationURI,
 			settings.OAuthSettings.ClientID,
 			settings.OAuthSettings.RedirectURI,
 			settings.OAuthSettings.Scopes),
+		DisableStackManagementForRegularUsers: settings.DisableStackManagementForRegularUsers,
 	}

 	if settings.TemplatesURL != "" {
--- a/api/http/handler/settings/settings_update.go
+++ b/api/http/handler/settings/settings_update.go
@@ -7,24 +7,26 @@ import (
 	httperror "github.com/portainer/libhttp/error"
 	"github.com/portainer/libhttp/request"
 	"github.com/portainer/libhttp/response"
-	"github.com/portainer/portainer/api"
+	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/filesystem"
 )

 type settingsUpdatePayload struct {
-	LogoURL                            *string
-	BlackListedLabels                  []portainer.Pair
-	AuthenticationMethod               *int
-	LDAPSettings                       *portainer.LDAPSettings
-	OAuthSettings                      *portainer.OAuthSettings
-	AllowBindMountsForRegularUsers     *bool
-	AllowPrivilegedModeForRegularUsers *bool
-	AllowVolumeBrowserForRegularUsers  *bool
-	EnableHostManagementFeatures       *bool
-	SnapshotInterval                   *string
-	TemplatesURL                       *string
-	EdgeAgentCheckinInterval           *int
-	EnableEdgeComputeFeatures          *bool
+	LogoURL                               *string
+	BlackListedLabels                     []portainer.Pair
+	AuthenticationMethod                  *int
+	LDAPSettings                          *portainer.LDAPSettings
+	OAuthSettings                         *portainer.OAuthSettings
+	AllowBindMountsForRegularUsers        *bool
+	AllowPrivilegedModeForRegularUsers    *bool
+	AllowVolumeBrowserForRegularUsers     *bool
+	EnableHostManagementFeatures          *bool
+	SnapshotInterval                      *string
+	TemplatesURL                          *string
+	EdgeAgentCheckinInterval              *int
+	EnableEdgeComputeFeatures             *bool
+	DisableStackManagementForRegularUsers *bool
+	AllowHostNamespaceForRegularUsers     *bool
 }

 func (payload *settingsUpdatePayload) Validate(r *http.Request) error {
@@ -114,6 +116,14 @@ func (handler *Handler) settingsUpdate(w http.ResponseWriter, r *http.Request) *
 		settings.EnableEdgeComputeFeatures = *payload.EnableEdgeComputeFeatures
 	}

+	if payload.DisableStackManagementForRegularUsers != nil {
+		settings.DisableStackManagementForRegularUsers = *payload.DisableStackManagementForRegularUsers
+	}
+
+	if payload.AllowHostNamespaceForRegularUsers != nil {
+		settings.AllowHostNamespaceForRegularUsers = *payload.AllowHostNamespaceForRegularUsers
+	}
+
 	if payload.SnapshotInterval != nil && *payload.SnapshotInterval != settings.SnapshotInterval {
 		err := handler.updateSnapshotInterval(settings, *payload.SnapshotInterval)
 		if err != nil {
--- a/api/http/handler/stacks/create_compose_stack.go
+++ b/api/http/handler/stacks/create_compose_stack.go
@@ -1,7 +1,6 @@
 package stacks

 import (
-	"errors"
 	"net/http"
 	"path"
 	"regexp"
@@ -11,7 +10,7 @@ import (
 	"github.com/asaskevich/govalidator"
 	httperror "github.com/portainer/libhttp/error"
 	"github.com/portainer/libhttp/request"
-	"github.com/portainer/portainer/api"
+	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/filesystem"
 	"github.com/portainer/portainer/api/http/security"
 )
@@ -283,6 +282,7 @@ type composeStackDeploymentConfig struct {
 	dockerhub  *portainer.DockerHub
 	registries []portainer.Registry
 	isAdmin    bool
+	user       *portainer.User
 }

 func (handler *Handler) createComposeDeployConfig(r *http.Request, stack *portainer.Stack, endpoint *portainer.Endpoint) (*composeStackDeploymentConfig, *httperror.HandlerError) {
@@ -302,12 +302,18 @@ func (handler *Handler) createComposeDeployConfig(r *http.Request, stack *portai
 	}
 	filteredRegistries := security.FilterRegistries(registries, securityContext)

+	user, err := handler.UserService.User(securityContext.UserID)
+	if err != nil {
+		return nil, &httperror.HandlerError{http.StatusInternalServerError, "Unable to load user information from the database", err}
+	}
+
 	config := &composeStackDeploymentConfig{
 		stack:      stack,
 		endpoint:   endpoint,
 		dockerhub:  dockerhub,
 		registries: filteredRegistries,
 		isAdmin:    securityContext.IsAdmin,
+		user:       user,
 	}

 	return config, nil
@@ -324,7 +330,12 @@ func (handler *Handler) deployComposeStack(config *composeStackDeploymentConfig)
 		return err
 	}

-	if !settings.AllowBindMountsForRegularUsers && !config.isAdmin {
+	isAdminOrEndpointAdmin, err := handler.userIsAdminOrEndpointAdmin(config.user, config.endpoint.ID)
+	if err != nil {
+		return err
+	}
+
+	if (!settings.AllowBindMountsForRegularUsers || !settings.AllowPrivilegedModeForRegularUsers || !settings.AllowHostNamespaceForRegularUsers) && !isAdminOrEndpointAdmin {
 		composeFilePath := path.Join(config.stack.ProjectPath, config.stack.EntryPoint)

 		stackContent, err := handler.FileService.GetFileContent(composeFilePath)
@@ -332,13 +343,10 @@ func (handler *Handler) deployComposeStack(config *composeStackDeploymentConfig)
 			return err
 		}

-		valid, err := handler.isValidStackFile(stackContent)
+		err = handler.isValidStackFile(stackContent, settings)
 		if err != nil {
 			return err
 		}
-		if !valid {
-			return errors.New("bind-mount disabled for non administrator users")
-		}
 	}

 	handler.stackCreationMutex.Lock()
--- a/api/http/handler/stacks/create_swarm_stack.go
+++ b/api/http/handler/stacks/create_swarm_stack.go
@@ -1,7 +1,6 @@
 package stacks

 import (
-	"errors"
 	"net/http"
 	"path"
 	"strconv"
@@ -10,7 +9,7 @@ import (
 	"github.com/asaskevich/govalidator"
 	httperror "github.com/portainer/libhttp/error"
 	"github.com/portainer/libhttp/request"
-	"github.com/portainer/portainer/api"
+	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/filesystem"
 	"github.com/portainer/portainer/api/http/security"
 )
@@ -292,6 +291,7 @@ type swarmStackDeploymentConfig struct {
 	registries []portainer.Registry
 	prune      bool
 	isAdmin    bool
+	user       *portainer.User
 }

 func (handler *Handler) createSwarmDeployConfig(r *http.Request, stack *portainer.Stack, endpoint *portainer.Endpoint, prune bool) (*swarmStackDeploymentConfig, *httperror.HandlerError) {
@@ -311,6 +311,11 @@ func (handler *Handler) createSwarmDeployConfig(r *http.Request, stack *portaine
 	}
 	filteredRegistries := security.FilterRegistries(registries, securityContext)

+	user, err := handler.UserService.User(securityContext.UserID)
+	if err != nil {
+		return nil, &httperror.HandlerError{http.StatusInternalServerError, "Unable to load user information from the database", err}
+	}
+
 	config := &swarmStackDeploymentConfig{
 		stack:      stack,
 		endpoint:   endpoint,
@@ -318,6 +323,7 @@ func (handler *Handler) createSwarmDeployConfig(r *http.Request, stack *portaine
 		registries: filteredRegistries,
 		prune:      prune,
 		isAdmin:    securityContext.IsAdmin,
+		user:       user,
 	}

 	return config, nil
@@ -329,7 +335,12 @@ func (handler *Handler) deploySwarmStack(config *swarmStackDeploymentConfig) err
 		return err
 	}

-	if !settings.AllowBindMountsForRegularUsers && !config.isAdmin {
+	isAdminOrEndpointAdmin, err := handler.userIsAdminOrEndpointAdmin(config.user, config.endpoint.ID)
+	if err != nil {
+		return err
+	}
+
+	if !settings.AllowBindMountsForRegularUsers && !isAdminOrEndpointAdmin {
 		composeFilePath := path.Join(config.stack.ProjectPath, config.stack.EntryPoint)

 		stackContent, err := handler.FileService.GetFileContent(composeFilePath)
@@ -337,13 +348,10 @@ func (handler *Handler) deploySwarmStack(config *swarmStackDeploymentConfig) err
 			return err
 		}

-		valid, err := handler.isValidStackFile(stackContent)
+		err = handler.isValidStackFile(stackContent, settings)
 		if err != nil {
 			return err
 		}
-		if !valid {
-			return errors.New("bind-mount disabled for non administrator users")
-		}
 	}

 	handler.stackCreationMutex.Lock()
--- a/api/http/handler/stacks/handler.go
+++ b/api/http/handler/stacks/handler.go
@@ -1,12 +1,13 @@
 package stacks

 import (
+	"errors"
 	"net/http"
 	"sync"

 	"github.com/gorilla/mux"
 	httperror "github.com/portainer/libhttp/error"
-	"github.com/portainer/portainer/api"
+	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/http/security"
 )

@@ -87,3 +88,54 @@ func (handler *Handler) userCanAccessStack(securityContext *security.RestrictedR
 	}
 	return false, nil
 }
+
+func (handler *Handler) userCanCreateStack(securityContext *security.RestrictedRequestContext, endpointID portainer.EndpointID) (bool, error) {
+	if securityContext.IsAdmin {
+		return true, nil
+	}
+
+	_, err := handler.ExtensionService.Extension(portainer.RBACExtension)
+	if err == portainer.ErrObjectNotFound {
+		return false, nil
+	} else if err != nil && err != portainer.ErrObjectNotFound {
+		return false, err
+	}
+
+	user, err := handler.UserService.User(securityContext.UserID)
+	if err != nil {
+		return false, err
+	}
+
+	_, ok := user.EndpointAuthorizations[endpointID][portainer.EndpointResourcesAccess]
+	if ok {
+		return true, nil
+	}
+	return false, nil
+}
+
+func (handler *Handler) userIsAdminOrEndpointAdmin(user *portainer.User, endpointID portainer.EndpointID) (bool, error) {
+	isAdmin := user.Role == portainer.AdministratorRole
+
+	rbacExtension, err := handler.ExtensionService.Extension(portainer.RBACExtension)
+	if err != nil && err != portainer.ErrObjectNotFound {
+		return false, errors.New("Unable to verify if RBAC extension is loaded")
+	}
+
+	endpointResourceAccess := false
+	_, ok := user.EndpointAuthorizations[portainer.EndpointID(endpointID)][portainer.EndpointResourcesAccess]
+	if ok {
+		endpointResourceAccess = true
+	}
+
+	if rbacExtension != nil {
+		if isAdmin || endpointResourceAccess {
+			return true, nil
+		}
+	} else {
+		if isAdmin {
+			return true, nil
+		}
+	}
+
+	return false, nil
+}
--- a/api/http/handler/stacks/stack_create.go
+++ b/api/http/handler/stacks/stack_create.go
@@ -10,7 +10,7 @@ import (
 	httperror "github.com/portainer/libhttp/error"
 	"github.com/portainer/libhttp/request"
 	"github.com/portainer/libhttp/response"
-	"github.com/portainer/portainer/api"
+	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/http/security"
 )

@@ -43,6 +43,29 @@ func (handler *Handler) stackCreate(w http.ResponseWriter, r *http.Request) *htt
 		return &httperror.HandlerError{http.StatusBadRequest, "Invalid query parameter: endpointId", err}
 	}

+	settings, err := handler.SettingsService.Settings()
+	if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve settings from the database", err}
+	}
+
+	if settings.DisableStackManagementForRegularUsers {
+		securityContext, err := security.RetrieveRestrictedRequestContext(r)
+		if err != nil {
+			return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve user info from request context", err}
+		}
+
+		canCreate, err := handler.userCanCreateStack(securityContext, portainer.EndpointID(endpointID))
+
+		if err != nil {
+			return &httperror.HandlerError{http.StatusInternalServerError, "Unable to verify user authorizations to validate stack creation", err}
+		}
+
+		if !canCreate {
+			errMsg := "Stack creation is disabled for non-admin users"
+			return &httperror.HandlerError{http.StatusForbidden, errMsg, errors.New(errMsg)}
+		}
+	}
+
 	endpoint, err := handler.EndpointService.Endpoint(portainer.EndpointID(endpointID))
 	if err == portainer.ErrObjectNotFound {
 		return &httperror.HandlerError{http.StatusNotFound, "Unable to find an endpoint with the specified identifier inside the database", err}
@@ -97,10 +120,10 @@ func (handler *Handler) createSwarmStack(w http.ResponseWriter, r *http.Request,
 	return &httperror.HandlerError{http.StatusBadRequest, "Invalid value for query parameter: method. Value must be one of: string, repository or file", errors.New(request.ErrInvalidQueryParameter)}
 }

-func (handler *Handler) isValidStackFile(stackFileContent []byte) (bool, error) {
+func (handler *Handler) isValidStackFile(stackFileContent []byte, settings *portainer.Settings) error {
 	composeConfigYAML, err := loader.ParseYAML(stackFileContent)
 	if err != nil {
-		return false, err
+		return err
 	}

 	composeConfigFile := types.ConfigFile{
@@ -117,19 +140,29 @@ func (handler *Handler) isValidStackFile(stackFileContent []byte) (bool, error)
 		options.SkipInterpolation = true
 	})
 	if err != nil {
-		return false, err
+		return err
 	}

 	for key := range composeConfig.Services {
 		service := composeConfig.Services[key]
-		for _, volume := range service.Volumes {
-			if volume.Type == "bind" {
-				return false, nil
+		if !settings.AllowBindMountsForRegularUsers {
+			for _, volume := range service.Volumes {
+				if volume.Type == "bind" {
+					return errors.New("bind-mount disabled for non administrator users")
+				}
 			}
 		}
+
+		if !settings.AllowPrivilegedModeForRegularUsers && service.Privileged == true {
+			return errors.New("privileged mode disabled for non administrator users")
+		}
+
+		if !settings.AllowHostNamespaceForRegularUsers && service.Pid == "host" {
+			return errors.New("pid host disabled for non administrator users")
+		}
 	}

-	return true, nil
+	return nil
 }

 func (handler *Handler) decorateStackResponse(w http.ResponseWriter, stack *portainer.Stack, userID portainer.UserID) *httperror.HandlerError {
--- a/api/http/proxy/factory/docker/containers.go
+++ b/api/http/proxy/factory/docker/containers.go
@@ -1,12 +1,17 @@
 package docker

 import (
+	"bytes"
 	"context"
+	"encoding/json"
+	"errors"
+	"io/ioutil"
 	"net/http"

 	"github.com/docker/docker/client"
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/http/proxy/factory/responseutils"
+	"github.com/portainer/portainer/api/http/security"
 )

 const (
@@ -147,3 +152,79 @@ func containerHasBlackListedLabel(containerLabels map[string]interface{}, labelB

 	return false
 }
+
+func (transport *Transport) decorateContainerCreationOperation(request *http.Request, resourceIdentifierAttribute string, resourceType portainer.ResourceControlType) (*http.Response, error) {
+	type PartialContainer struct {
+		HostConfig struct {
+			Privileged bool   `json:"Privileged"`
+			PidMode    string `json:"PidMode"`
+		} `json:"HostConfig"`
+	}
+
+	forbiddenResponse := &http.Response{
+		StatusCode: http.StatusForbidden,
+	}
+
+	tokenData, err := security.RetrieveTokenData(request)
+	if err != nil {
+		return nil, err
+	}
+
+	user, err := transport.userService.User(tokenData.ID)
+	if err != nil {
+		return nil, err
+	}
+
+	rbacExtension, err := transport.extensionService.Extension(portainer.RBACExtension)
+	if err != nil && err != portainer.ErrObjectNotFound {
+		return nil, err
+	}
+
+	endpointResourceAccess := false
+	_, ok := user.EndpointAuthorizations[portainer.EndpointID(transport.endpoint.ID)][portainer.EndpointResourcesAccess]
+	if ok {
+		endpointResourceAccess = true
+	}
+
+	if (rbacExtension != nil && !endpointResourceAccess && tokenData.Role != portainer.AdministratorRole) || (rbacExtension == nil && tokenData.Role != portainer.AdministratorRole) {
+
+		settings, err := transport.settingsService.Settings()
+		if err != nil {
+			return nil, err
+		}
+
+		if !settings.AllowPrivilegedModeForRegularUsers || !settings.AllowHostNamespaceForRegularUsers {
+			body, err := ioutil.ReadAll(request.Body)
+			if err != nil {
+				return nil, err
+			}
+
+			partialContainer := &PartialContainer{}
+			err = json.Unmarshal(body, partialContainer)
+			if err != nil {
+				return nil, err
+			}
+
+			if partialContainer.HostConfig.Privileged {
+				return forbiddenResponse, errors.New("forbidden to use privileged mode")
+			}
+
+			if partialContainer.HostConfig.PidMode == "host" {
+				return forbiddenResponse, errors.New("forbidden to use pid host namespace")
+			}
+
+			request.Body = ioutil.NopCloser(bytes.NewBuffer(body))
+		}
+	}
+
+	response, err := transport.executeDockerRequest(request)
+	if err != nil {
+		return response, err
+	}
+
+	if response.StatusCode == http.StatusCreated {
+		err = transport.decorateGenericResourceCreationResponse(response, resourceIdentifierAttribute, resourceType, tokenData.ID)
+	}
+
+	return response, err
+}
--- a/api/http/proxy/factory/docker/transport.go
+++ b/api/http/proxy/factory/docker/transport.go
@@ -209,7 +209,7 @@ func (transport *Transport) proxyConfigRequest(request *http.Request) (*http.Res
 func (transport *Transport) proxyContainerRequest(request *http.Request) (*http.Response, error) {
 	switch requestPath := request.URL.Path; requestPath {
 	case "/containers/create":
-		return transport.decorateGenericResourceCreationOperation(request, containerObjectIdentifier, portainer.ContainerResourceControl)
+		return transport.decorateContainerCreationOperation(request, containerObjectIdentifier, portainer.ContainerResourceControl)

 	case "/containers/prune":
 		return transport.administratorOperation(request)
@@ -656,6 +656,7 @@ func (transport *Transport) createRegistryAccessContext(request *http.Request) (
 		return nil, err
 	}

+
 	accessContext := &registryAccessContext{
 		isAdmin: true,
 		userID:  tokenData.ID,
--- a/api/portainer.go
+++ b/api/portainer.go
@@ -420,19 +420,21 @@ type (

 	// Settings represents the application settings
 	Settings struct {
-		LogoURL                            string               `json:"LogoURL"`
-		BlackListedLabels                  []Pair               `json:"BlackListedLabels"`
-		AuthenticationMethod               AuthenticationMethod `json:"AuthenticationMethod"`
-		LDAPSettings                       LDAPSettings         `json:"LDAPSettings"`
-		OAuthSettings                      OAuthSettings        `json:"OAuthSettings"`
-		AllowBindMountsForRegularUsers     bool                 `json:"AllowBindMountsForRegularUsers"`
-		AllowPrivilegedModeForRegularUsers bool                 `json:"AllowPrivilegedModeForRegularUsers"`
-		AllowVolumeBrowserForRegularUsers  bool                 `json:"AllowVolumeBrowserForRegularUsers"`
-		SnapshotInterval                   string               `json:"SnapshotInterval"`
-		TemplatesURL                       string               `json:"TemplatesURL"`
-		EnableHostManagementFeatures       bool                 `json:"EnableHostManagementFeatures"`
-		EdgeAgentCheckinInterval           int                  `json:"EdgeAgentCheckinInterval"`
-		EnableEdgeComputeFeatures          bool                 `json:"EnableEdgeComputeFeatures"`
+		LogoURL                               string               `json:"LogoURL"`
+		BlackListedLabels                     []Pair               `json:"BlackListedLabels"`
+		AuthenticationMethod                  AuthenticationMethod `json:"AuthenticationMethod"`
+		LDAPSettings                          LDAPSettings         `json:"LDAPSettings"`
+		OAuthSettings                         OAuthSettings        `json:"OAuthSettings"`
+		AllowBindMountsForRegularUsers        bool                 `json:"AllowBindMountsForRegularUsers"`
+		AllowPrivilegedModeForRegularUsers    bool                 `json:"AllowPrivilegedModeForRegularUsers"`
+		AllowVolumeBrowserForRegularUsers     bool                 `json:"AllowVolumeBrowserForRegularUsers"`
+		SnapshotInterval                      string               `json:"SnapshotInterval"`
+		TemplatesURL                          string               `json:"TemplatesURL"`
+		EnableHostManagementFeatures          bool                 `json:"EnableHostManagementFeatures"`
+		EdgeAgentCheckinInterval              int                  `json:"EdgeAgentCheckinInterval"`
+		EnableEdgeComputeFeatures             bool                 `json:"EnableEdgeComputeFeatures"`
+		DisableStackManagementForRegularUsers bool                 `json:"DisableStackManagementForRegularUsers"`
+		AllowHostNamespaceForRegularUsers     bool                 `json:"AllowHostNamespaceForRegularUsers"`

 		// Deprecated fields
 		DisplayDonationHeader       bool
@@ -1007,7 +1009,7 @@ type (

 const (
 	// APIVersion is the version number of the Portainer API
-	APIVersion = "1.24.0"
+	APIVersion = "1.24.1-dev"
 	// DBVersion is the version number of the Portainer database
 	DBVersion = 23
 	// AssetsServerURL represents the URL of the Portainer asset server
--- a/api/swagger.yaml
+++ b/api/swagger.yaml
@@ -54,7 +54,7 @@ info:

    **NOTE**: You can find more information on how to query the Docker API in the [Docker official documentation](https://docs.docker.com/engine/api/v1.30/) as well as in [this Portainer example](https://gist.github.com/deviantony/77026d402366b4b43fa5918d41bc42f8).

-  version: "1.24.0"
+  version: "1.24.1-dev"
  title: "Portainer API"
  contact:
    email: "info@portainer.io"
@@ -3174,7 +3174,7 @@ definitions:
        description: "Is analytics enabled"
      Version:
        type: "string"
-        example: "1.24.0"
+        example: "1.24.1-dev"
        description: "Portainer API version"
  PublicSettingsInspectResponse:
    type: "object"
--- a/api/swagger_config.json
+++ b/api/swagger_config.json
@@ -1,5 +1,5 @@
 {
  "packageName": "portainer",
-  "packageVersion": "1.24.0",
+  "packageVersion": "1.24.1-dev",
  "projectName": "portainer"
 }
--- a/app/docker/components/dockerSidebarContent/docker-sidebar-content.js
+++ b/app/docker/components/dockerSidebarContent/docker-sidebar-content.js
@@ -6,5 +6,6 @@ angular.module('portainer.docker').component('dockerSidebarContent', {
    standaloneManagement: '<',
    adminAccess: '<',
    offlineMode: '<',
+    hideStacks: '<',
  },
 });
--- a/app/docker/components/dockerSidebarContent/dockerSidebarContent.html
+++ b/app/docker/components/dockerSidebarContent/dockerSidebarContent.html
@@ -4,7 +4,7 @@
 <li class="sidebar-list" ng-if="!$ctrl.offlineMode" authorization="DockerContainerCreate, PortainerStackCreate">
  <a ui-sref="portainer.templates" ui-sref-active="active">App Templates <span class="menu-icon fa fa-rocket fa-fw"></span></a>
 </li>
-<li class="sidebar-list">
+<li class="sidebar-list" ng-if="!$ctrl.hideStacks">
  <a ui-sref="portainer.stacks" ui-sref-active="active">Stacks <span class="menu-icon fa fa-th-list fa-fw"></span></a>
 </li>
 <li class="sidebar-list" ng-if="$ctrl.swarmManagement">
--- a/app/extensions/registry-management/views/repositories/registryRepositoriesController.js
+++ b/app/extensions/registry-management/views/repositories/registryRepositoriesController.js
@@ -54,8 +54,8 @@ angular.module('portainer.extensions.registrymanagement').controller('RegistryRe
            .then(function success() {
              return RegistryServiceSelector.repositories($scope.registry);
            })
-            .then(function success(data) {
-              $scope.repositories = data;
+            .then(function success(repositories) {
+              $scope.repositories = _.filter(repositories, (repository) => repository.TagsCount > 0);
            })
            .catch(function error() {
              $scope.state.displayInvalidConfigurationMessage = true;
--- a/app/portainer/components/datatables/stacks-datatable/stacksDatatable.html
+++ b/app/portainer/components/datatables/stacks-datatable/stacksDatatable.html
@@ -2,7 +2,7 @@
  <rd-widget>
    <rd-widget-body classes="no-padding">
      <div class="toolBar">
-        <div class="toolBarTitle"> <i class="fa" ng-class="$ctrl.titleIcon" aria-hidden="true" style="margin-right: 2px;"></i> {{ $ctrl.titleText }} </div>
+        <div class="toolBarTitle"><i class="fa" ng-class="$ctrl.titleIcon" aria-hidden="true" style="margin-right: 2px;"></i> {{ $ctrl.titleText }} </div>
        <div class="settings">
          <span class="setting" ng-class="{ 'setting-active': $ctrl.settings.open }" uib-dropdown dropdown-append-to-body auto-close="disabled" is-open="$ctrl.settings.open">
            <span uib-dropdown-toggle><i class="fa fa-cog" aria-hidden="true"></i> Settings</span>
@@ -52,7 +52,7 @@
        >
          <i class="fa fa-trash-alt space-right" aria-hidden="true"></i>Remove
        </button>
-        <button type="button" class="btn btn-sm btn-primary" ui-sref="portainer.stacks.newstack" authorization="PortainerStackCreate">
+        <button type="button" class="btn btn-sm btn-primary" ui-sref="portainer.stacks.newstack" ng-disabled="!$ctrl.createEnabled" authorization="PortainerStackCreate">
          <i class="fa fa-plus space-right" aria-hidden="true"></i>Add stack
        </button>
      </div>
@@ -144,7 +144,10 @@
        </table>
      </div>
      <div class="footer" ng-if="$ctrl.dataset">
-        <div class="infoBar" ng-if="$ctrl.state.selectedItemCount !== 0"> {{ $ctrl.state.selectedItemCount }} item(s) selected </div>
+        <div class="infoBar" ng-if="$ctrl.state.selectedItemCount !== 0">
+          {{ $ctrl.state.selectedItemCount }}
+          item(s) selected
+        </div>
        <div class="paginationControls">
          <form class="form-inline">
            <span class="limitSelector">
--- a/app/portainer/components/datatables/stacks-datatable/stacksDatatable.js
+++ b/app/portainer/components/datatables/stacks-datatable/stacksDatatable.js
@@ -12,5 +12,6 @@ angular.module('portainer.app').component('stacksDatatable', {
    removeAction: '<',
    offlineMode: '<',
    refreshCallback: '<',
+    createEnabled: '<',
  },
 });
--- a/app/portainer/models/settings.js
+++ b/app/portainer/models/settings.js
@@ -13,6 +13,8 @@ export function SettingsViewModel(data) {
  this.EnableHostManagementFeatures = data.EnableHostManagementFeatures;
  this.EdgeAgentCheckinInterval = data.EdgeAgentCheckinInterval;
  this.EnableEdgeComputeFeatures = data.EnableEdgeComputeFeatures;
+  this.DisableStackManagementForRegularUsers = data.DisableStackManagementForRegularUsers;
+  this.AllowHostNamespaceForRegularUsers = data.AllowHostNamespaceForRegularUsers;
 }

 export function PublicSettingsViewModel(settings) {
@@ -25,6 +27,7 @@ export function PublicSettingsViewModel(settings) {
  this.EnableEdgeComputeFeatures = settings.EnableEdgeComputeFeatures;
  this.LogoURL = settings.LogoURL;
  this.OAuthLoginURI = settings.OAuthLoginURI;
+  this.DisableStackManagementForRegularUsers = settings.DisableStackManagementForRegularUsers;
 }

 export function LDAPSettingsViewModel(data) {
--- a/app/portainer/services/stateManager.js
+++ b/app/portainer/services/stateManager.js
@@ -76,6 +76,16 @@ angular.module('portainer.app').factory('StateManager', [
      LocalStorage.storeApplicationState(state.application);
    };

+    manager.updateDisableStackManagementForRegularUsers = function updateDisableStackManagementForRegularUsers(disableStackManagementForRegularUsers) {
+      state.application.disableStackManagementForRegularUsers = disableStackManagementForRegularUsers;
+      LocalStorage.storeApplicationState(state.application);
+    };
+
+    manager.updateAllowHostNamespaceForRegularUsers = function (allowHostNamespaceForRegularUsers) {
+      state.application.allowHostNamespaceForRegularUsers = allowHostNamespaceForRegularUsers;
+      LocalStorage.storeApplicationState(state.application);
+    };
+
    function assignStateFromStatusAndSettings(status, settings) {
      state.application.authentication = status.Authentication;
      state.application.analytics = status.Analytics;
@@ -87,6 +97,7 @@ angular.module('portainer.app').factory('StateManager', [
      state.application.enableHostManagementFeatures = settings.EnableHostManagementFeatures;
      state.application.enableVolumeBrowserForNonAdminUsers = settings.AllowVolumeBrowserForRegularUsers;
      state.application.enableEdgeComputeFeatures = settings.EnableEdgeComputeFeatures;
+      state.application.disableStackManagementForRegularUsers = settings.DisableStackManagementForRegularUsers;
      state.application.validity = moment().unix();
    }

--- a/app/portainer/views/settings/settings.html
+++ b/app/portainer/views/settings/settings.html
@@ -120,6 +120,27 @@
              </label>
            </div>
          </div>
+          <div class="form-group">
+            <div class="col-sm-12">
+              <label for="toggle_disableStackManagementForRegularUsers" class="control-label text-left">
+                Disable the use of Stacks for non-administrators
+              </label>
+              <label class="switch" style="margin-left: 20px;">
+                <input type="checkbox" name="toggle_disableStackManagementForRegularUsers" ng-model="formValues.disableStackManagementForRegularUsers" /><i></i>
+              </label>
+            </div>
+          </div>
+          <div class="form-group">
+            <div class="col-sm-12">
+              <label for="toggle_allowHostNamespaceForRegularUsers" class="control-label text-left">
+                Disable the use of host PID 1 for non-administrators
+                <portainer-tooltip position="bottom" message="Prevent users from accessing the host filesystem through the host PID namespace."></portainer-tooltip>
+              </label>
+              <label class="switch" style="margin-left: 20px;">
+                <input type="checkbox" name="toggle_allowHostNamespaceForRegularUsers" ng-model="formValues.restrictHostNamespaceForRegularUsers" /><i></i>
+              </label>
+            </div>
+          </div>
          <!-- !security -->
          <!-- edge -->
          <div class="col-sm-12 form-section-title">
--- a/app/portainer/views/settings/settingsController.js
+++ b/app/portainer/views/settings/settingsController.js
@@ -33,6 +33,8 @@ angular.module('portainer.app').controller('SettingsController', [
      enableHostManagementFeatures: false,
      enableVolumeBrowser: false,
      enableEdgeComputeFeatures: false,
+      disableStackManagementForRegularUsers: false,
+      restrictHostNamespaceForRegularUsers: false,
    };

    $scope.removeFilteredContainerLabel = function (index) {
@@ -69,6 +71,8 @@ angular.module('portainer.app').controller('SettingsController', [
      settings.AllowVolumeBrowserForRegularUsers = $scope.formValues.enableVolumeBrowser;
      settings.EnableHostManagementFeatures = $scope.formValues.enableHostManagementFeatures;
      settings.EnableEdgeComputeFeatures = $scope.formValues.enableEdgeComputeFeatures;
+      settings.DisableStackManagementForRegularUsers = $scope.formValues.disableStackManagementForRegularUsers;
+      settings.AllowHostNamespaceForRegularUsers = !$scope.formValues.restrictHostNamespaceForRegularUsers;

      $scope.state.actionInProgress = true;
      updateSettings(settings);
@@ -83,6 +87,8 @@ angular.module('portainer.app').controller('SettingsController', [
          StateManager.updateEnableHostManagementFeatures(settings.EnableHostManagementFeatures);
          StateManager.updateEnableVolumeBrowserForNonAdminUsers(settings.AllowVolumeBrowserForRegularUsers);
          StateManager.updateEnableEdgeComputeFeatures(settings.EnableEdgeComputeFeatures);
+          StateManager.updateDisableStackManagementForRegularUsers(settings.DisableStackManagementForRegularUsers);
+          StateManager.updateAllowHostNamespaceForRegularUsers(settings.AllowHostNamespaceForRegularUsers);
          $state.reload();
        })
        .catch(function error(err) {
@@ -109,6 +115,8 @@ angular.module('portainer.app').controller('SettingsController', [
          $scope.formValues.enableVolumeBrowser = settings.AllowVolumeBrowserForRegularUsers;
          $scope.formValues.enableHostManagementFeatures = settings.EnableHostManagementFeatures;
          $scope.formValues.enableEdgeComputeFeatures = settings.EnableEdgeComputeFeatures;
+          $scope.formValues.disableStackManagementForRegularUsers = settings.DisableStackManagementForRegularUsers;
+          $scope.formValues.restrictHostNamespaceForRegularUsers = !settings.AllowHostNamespaceForRegularUsers;
        })
        .catch(function error(err) {
          Notifications.error('Failure', err, 'Unable to retrieve application settings');
--- a/app/portainer/views/sidebar/sidebar.html
+++ b/app/portainer/views/sidebar/sidebar.html
@@ -16,6 +16,7 @@
      <azure-sidebar-content ng-if="applicationState.endpoint.mode && applicationState.endpoint.mode.provider === 'AZURE'"> </azure-sidebar-content>
      <docker-sidebar-content
        ng-if="applicationState.endpoint.mode && applicationState.endpoint.mode.provider !== 'AZURE'"
+        hide-stacks="!isAdmin && applicationState.application.disableStackManagementForRegularUsers"
        endpoint-api-version="applicationState.endpoint.apiVersion"
        swarm-management="applicationState.endpoint.mode.provider === 'DOCKER_SWARM_MODE' && applicationState.endpoint.mode.role === 'MANAGER'"
        standalone-management="applicationState.endpoint.mode.provider === 'DOCKER_STANDALONE' || applicationState.endpoint.mode.provider === 'VMWARE_VIC'"
--- a/app/portainer/views/stacks/stacks.html
+++ b/app/portainer/views/stacks/stacks.html
@@ -19,6 +19,7 @@
      show-ownership-column="applicationState.application.authentication"
      offline-mode="offlineMode"
      refresh-callback="getStacks"
+      create-enabled="createEnabled"
    ></stacks-datatable>
  </div>
 </div>
--- a/app/portainer/views/stacks/stacksController.js
+++ b/app/portainer/views/stacks/stacksController.js
@@ -1,65 +1,85 @@
-angular.module('portainer.app').controller('StacksController', [
-  '$scope',
-  '$state',
-  'Notifications',
-  'StackService',
-  'ModalService',
-  'EndpointProvider',
-  function ($scope, $state, Notifications, StackService, ModalService, EndpointProvider) {
-    $scope.removeAction = function (selectedItems) {
-      ModalService.confirmDeletion('Do you want to remove the selected stack(s)? Associated services will be removed as well.', function onConfirm(confirmed) {
-        if (!confirmed) {
-          return;
-        }
-        deleteSelectedStacks(selectedItems);
-      });
-    };
+angular.module('portainer.app').controller('StacksController', StacksController);

-    function deleteSelectedStacks(stacks) {
-      var endpointId = EndpointProvider.endpointID();
-      var actionCount = stacks.length;
-      angular.forEach(stacks, function (stack) {
-        StackService.remove(stack, stack.External, endpointId)
-          .then(function success() {
-            Notifications.success('Stack successfully removed', stack.Name);
-            var index = $scope.stacks.indexOf(stack);
-            $scope.stacks.splice(index, 1);
-          })
-          .catch(function error(err) {
-            Notifications.error('Failure', err, 'Unable to remove stack ' + stack.Name);
-          })
-          .finally(function final() {
-            --actionCount;
-            if (actionCount === 0) {
-              $state.reload();
-            }
-          });
-      });
-    }
+/* @ngInject */
+function StacksController($scope, $state, Notifications, StackService, ModalService, EndpointProvider, Authentication, StateManager, ExtensionService) {
+  $scope.removeAction = function (selectedItems) {
+    ModalService.confirmDeletion('Do you want to remove the selected stack(s)? Associated services will be removed as well.', function onConfirm(confirmed) {
+      if (!confirmed) {
+        return;
+      }
+      deleteSelectedStacks(selectedItems);
+    });
+  };

-    $scope.offlineMode = false;
-
-    $scope.getStacks = getStacks;
-    function getStacks() {
-      var endpointMode = $scope.applicationState.endpoint.mode;
-      var endpointId = EndpointProvider.endpointID();
-
-      StackService.stacks(true, endpointMode.provider === 'DOCKER_SWARM_MODE' && endpointMode.role === 'MANAGER', endpointId)
-        .then(function success(data) {
-          var stacks = data;
-          $scope.stacks = stacks;
-          $scope.offlineMode = EndpointProvider.offlineMode();
+  function deleteSelectedStacks(stacks) {
+    var endpointId = EndpointProvider.endpointID();
+    var actionCount = stacks.length;
+    angular.forEach(stacks, function (stack) {
+      StackService.remove(stack, stack.External, endpointId)
+        .then(function success() {
+          Notifications.success('Stack successfully removed', stack.Name);
+          var index = $scope.stacks.indexOf(stack);
+          $scope.stacks.splice(index, 1);
        })
        .catch(function error(err) {
-          $scope.stacks = [];
-          Notifications.error('Failure', err, 'Unable to retrieve stacks');
+          Notifications.error('Failure', err, 'Unable to remove stack ' + stack.Name);
+        })
+        .finally(function final() {
+          --actionCount;
+          if (actionCount === 0) {
+            $state.reload();
+          }
        });
+    });
+  }
+
+  $scope.offlineMode = false;
+  $scope.createEnabled = false;
+
+  $scope.getStacks = getStacks;
+
+  function getStacks() {
+    var endpointMode = $scope.applicationState.endpoint.mode;
+    var endpointId = EndpointProvider.endpointID();
+
+    StackService.stacks(true, endpointMode.provider === 'DOCKER_SWARM_MODE' && endpointMode.role === 'MANAGER', endpointId)
+      .then(function success(data) {
+        var stacks = data;
+        $scope.stacks = stacks;
+        $scope.offlineMode = EndpointProvider.offlineMode();
+      })
+      .catch(function error(err) {
+        $scope.stacks = [];
+        Notifications.error('Failure', err, 'Unable to retrieve stacks');
+      });
+  }
+
+  async function loadCreateEnabled() {
+    const appState = StateManager.getState().application;
+    if (!appState.disableStackManagementForRegularUsers) {
+      return true;
    }

-    function initView() {
-      getStacks();
+    let isAdmin = true;
+    if (appState.authentication) {
+      isAdmin = Authentication.isAdmin();
+    }
+    if (isAdmin) {
+      return true;
    }

-    initView();
-  },
-]);
+    const RBACExtensionEnabled = await ExtensionService.extensionEnabled(ExtensionService.EXTENSIONS.RBAC);
+    if (!RBACExtensionEnabled) {
+      return false;
+    }
+
+    return Authentication.hasAuthorizations(['EndpointResourcesAccess']);
+  }
+
+  async function initView() {
+    getStacks();
+    $scope.createEnabled = await loadCreateEnabled();
+  }
+
+  initView();
+}
--- a/distribution/portainer.spec
+++ b/distribution/portainer.spec
@@ -1,5 +1,5 @@
 Name:           portainer
-Version:        1.24.0
+Version:        1.24.1-dev
 Release:        0
 License:        Zlib
 Summary:        A lightweight docker management UI
--- a/package.json
+++ b/package.json
@@ -2,7 +2,7 @@
  "author": "Portainer.io",
  "name": "portainer",
  "homepage": "http://portainer.io",
-  "version": "1.24.0",
+  "version": "1.24.1-dev",
  "repository": {
    "type": "git",
    "url": "git@github.com:portainer/portainer.git"
Author	SHA1	Message	Date
Maxime Bajeux	ca61000d31	fix(settings): A database migration is missing for that new setting	2020-07-10 01:39:32 +02:00
Maxime Bajeux	0f58ece899	feat(containers): prevent non-admin users from running containers using the host namespace pid (#3970 ) * feat(containers): Prevent non-admin users from running containers using the host namespace pid * feat(containers): add rbac check for swarm stack too * feat(containers): remove forgotten conflict * feat(containers): init EnableHostNamespaceUse to true and return 403 on forbidden action * feat(containers): change enableHostNamespaceUse to restrictHostNamespaceUse in html * feat(settings): rename EnableHostNamespaceUse to AllowHostNamespaceForRegularUsers	2020-07-08 09:48:34 +12:00
Chaim Lev-Ari	b0ad212858	fix(registries): hide zero tags repositories (#3985 )	2020-07-07 10:59:33 +12:00
Chaim Lev-Ari	7eb2fd3424	feat(stacks): add a setting to disable the creation of stacks for non-admin users (#3932 ) * feat(settings): introduce a setting to prevent non-admin from stack creation * feat(settings): update stack creation setting * feat(settings): fail stack creation if user is non admin * fix(settings): save preventStackCreation setting to state * feat(stacks): disable add button when settings is enabled * format(stacks): remove line * feat(stacks): setting to hide stacks from users * feat(settings): rename disable stacks setting * refactor(settings): rename setting to disableStackManagementForRegularUsers	2020-07-01 09:34:43 +12:00
Maxime Bajeux	4c0d8ce732	feat(containers): Ensure users cannot create privileged containers via the API (#3969 ) * feat(containers): Ensure users cannot create privileged containers via the API * feat(containers): add rbac check in stack creation	2020-06-30 17:13:37 +12:00
Anthony Lapenna	e1cc4bc9a1	chore(version): bump version number	2020-06-16 17:22:51 +12:00