Evaluate use of capabilities in executables #51

grahamwhaley · 2017-02-20T19:15:50Z

We should probably do a review of our executables 'capabilities', and start to remove any that are not needed (to reduce attack surface).
On the host side we should check what we can do for:

the runtime
the shim
the proxy

and on the guest side we probably need to set or remove the capabilities around the workload according to the configuration (from the OCI file for instance) that is passed in/requested of us.

** Changes - cc-check: Always run all tests - build: Fix config file warning message - list: Ensure "--cc-all" details are correct - refactor: simplify code to return the fastpath first - Unbreak gofmt - process: Add github issue template - paths: Resolve paths earlier - scripts: Improve collect data script - build: Show version of go - tests: Increase unit test timeout - build: Fix go vet issues flagged by go 1.9 - docs: developers: how to build custom kernel - scripts: Create script to gather environment details - readme: Update CI badges - ci: Remove Travis and add unit testing to all CI ** Shortlog 413e2ed cc-check: Only warn if nesting not available c761552 cc-check: Always run all tests 6ec4ecd build: Fix config file warning message b629d80 list: Ensure "--cc-all" details are correct 1378b68 refactor: simplify code to return the fastpath first fc87e7b tests: Fix gofmt and ineffassign issues 2212ef7 CI: Unbreak gofmt logic 651cfb3 process: Add github issue template 2c1ce71 paths: Resolve paths earlier 16b1dae scripts: Improve formatting in cc-collect-data.sh 53bd495 scripts: Simpify main function in cc-collect-data.sh 08ed990 scripts: Rename Meta heading in cc-collect-data.sh 57f2500 scripts: Use more punctuation in cc-collect-data.sh 6a7fc90 scripts: Add more patterns to cc-collect-data.sh 541fe44 scripts: Add more patterns to cc-collect-data.sh 1c7d20c build: Generate cc-collect script ffe6ccf build: Generalise ".in" file rule 9280a6b build: Show version of go 1bde169 tests: Increase unit test timeout d4954bc Revert: Undo "Merge pull request *587 from mcastelino/topic/govet" 5213667 go vet: Fix issues detected by go vet in go 1.9 acecd7b Revendor: Revendor testify to fix go vet 3d07c40 docs: developers: how to build custom kernel c8fc271 scripts: Create script to gather environment details 062522d readme: Update CI badges fb10a0e .ci: Remove travis and add unit testing to Jenkins ** Compatibility with Docker Clear Containers 3.0.1 is compatible with Docker v17.06-ce ** OCI Runtime Specification Clear Containers 3.0.1 support the OCI Runtime Specification [v1.0.0-rc5][ocispec] ** Clear Linux Containers image Clear Containers 3.0.1 requires at least Clear Linux containers image [17270][clearlinuximage] ** Clear Linux Containers Kernel Clear Containers 3.0.1 requires at least Clear Linux Containers kernel [v4.9.47-77.container][kernel] ** Installation - [Ubuntu][ubuntu] - [Fedora][fedora] - [Developers][developers] ** Issues & limitations *** Networking **** Adding networks dynamically *** Resource management **** `docker run --cpus=` See issue [\*341](clearcontainers#341) for more information. **** `docker run --kernel-memory=` See issue [\*388](clearcontainers#388) for more information. **** shm **** cgroup constraints **** Capabilities See issue [\*51](clearcontainers#51) for more information. **** sysctl **** tmpfs *** Other **** checkpoint and restore **** `docker stats` See issue [\*200](clearcontainers#200) for more information. *** runtime commands **** `ps` command See issue [\*95](clearcontainers#95) for more information. **** `events` command See issue [\*379](clearcontainers#379) for more information. **** `update` command See issue [\*380](clearcontainers#380) for more information. *** Networking **** Support for joining an existing VM network **** `docker --net=host` **** `docker run --link` *** Host resource sharing **** `docker --device` **** `docker -v /dev/...` **** `docker run --privileged` *** Other **** Annotations *** runtime commands **** `init` command **** `spec` command More information [Limitations][limitations] [clearlinuximage]: https://download.clearlinux.org/releases/17270/clear/clear-17270-containers.img.xz [kernel]: https://github.com/clearcontainers/linux/tree/v4.9.47-77.container [ocispec]: https://github.com/opencontainers/runtime-spec/releases/tag/v1.0.0-rc5 [limitations]: https://github.com/clearcontainers/runtime/blob/f5bc403510ab2a837ba4b2115ea4c94cf51e9dea/docs/limitations.md [ubuntu]: https://github.com/clearcontainers/runtime/blob/f5bc403510ab2a837ba4b2115ea4c94cf51e9dea/docs/ubuntu-installation-guide.md [fedora]: https://github.com/clearcontainers/runtime/blob/f5bc403510ab2a837ba4b2115ea4c94cf51e9dea/docs/fedora-installation-guide.md [developers]: https://github.com/clearcontainers/runtime/blob/f5bc403510ab2a837ba4b2115ea4c94cf51e9dea/docs/developers-clear-containers-install.md Signed-off-by: Jose Carlos Venegas Munoz <[email protected]>

** Changes - cc-check: Always run all tests - build: Fix config file warning message - list: Ensure "--cc-all" details are correct - refactor: simplify code to return the fastpath first - Unbreak gofmt - process: Add github issue template - paths: Resolve paths earlier - scripts: Improve collect data script - build: Show version of go - tests: Increase unit test timeout - build: Fix go vet issues flagged by go 1.9 - docs: developers: how to build custom kernel - scripts: Create script to gather environment details - readme: Update CI badges - ci: Remove Travis and add unit testing to all CI ** Shortlog 413e2ed cc-check: Only warn if nesting not available c761552 cc-check: Always run all tests 6ec4ecd build: Fix config file warning message b629d80 list: Ensure "--cc-all" details are correct 1378b68 refactor: simplify code to return the fastpath first fc87e7b tests: Fix gofmt and ineffassign issues 2212ef7 CI: Unbreak gofmt logic 651cfb3 process: Add github issue template 2c1ce71 paths: Resolve paths earlier 16b1dae scripts: Improve formatting in cc-collect-data.sh 53bd495 scripts: Simpify main function in cc-collect-data.sh 08ed990 scripts: Rename Meta heading in cc-collect-data.sh 57f2500 scripts: Use more punctuation in cc-collect-data.sh 6a7fc90 scripts: Add more patterns to cc-collect-data.sh 541fe44 scripts: Add more patterns to cc-collect-data.sh 1c7d20c build: Generate cc-collect script ffe6ccf build: Generalise ".in" file rule 9280a6b build: Show version of go 1bde169 tests: Increase unit test timeout d4954bc Revert: Undo "Merge pull request *587 from mcastelino/topic/govet" 5213667 go vet: Fix issues detected by go vet in go 1.9 acecd7b Revendor: Revendor testify to fix go vet 3d07c40 docs: developers: how to build custom kernel c8fc271 scripts: Create script to gather environment details 062522d readme: Update CI badges fb10a0e .ci: Remove travis and add unit testing to Jenkins ** Compatibility with Docker Clear Containers 3.0.1 is compatible with Docker v17.06-ce ** OCI Runtime Specification Clear Containers 3.0.1 support the OCI Runtime Specification [v1.0.0-rc5][ocispec] ** Clear Linux Containers image Clear Containers 3.0.1 requires at least Clear Linux containers image [17270][clearlinuximage] ** Clear Linux Containers Kernel Clear Containers 3.0.1 requires at least Clear Linux Containers kernel [v4.9.47-77.container][kernel] ** Installation - [Ubuntu][ubuntu] - [Fedora][fedora] - [Developers][developers] ** Issues & limitations *** Networking **** Adding networks dynamically *** Resource management **** `docker run --cpus=` See issue [\*341](clearcontainers#341) for more information. **** `docker run --kernel-memory=` See issue [\*388](clearcontainers#388) for more information. **** shm **** cgroup constraints **** Capabilities See issue [\*51](clearcontainers#51) for more information. **** sysctl **** tmpfs *** Other **** checkpoint and restore **** `docker stats` See issue [\*200](clearcontainers#200) for more information. *** runtime commands **** `ps` command See issue [\*95](clearcontainers#95) for more information. **** `events` command See issue [\*379](clearcontainers#379) for more information. **** `update` command See issue [\*380](clearcontainers#380) for more information. *** Networking **** Support for joining an existing VM network **** `docker --net=host` **** `docker run --link` *** Host resource sharing **** `docker --device` **** `docker -v /dev/...` **** `docker run --privileged` *** Other **** Annotations *** runtime commands **** `init` command **** `spec` command More information [Limitations][limitations] [clearlinuximage]: https://download.clearlinux.org/releases/17270/clear/clear-17270-containers.img.xz [kernel]: https://github.com/clearcontainers/linux/tree/v4.9.47-77.container [ocispec]: https://github.com/opencontainers/runtime-spec/releases/tag/v1.0.0-rc5 [limitations]: https://github.com/clearcontainers/runtime/blob/f5bc403510ab2a837ba4b2115ea4c94cf51e9dea/docs/limitations.md [ubuntu]: https://github.com/clearcontainers/runtime/blob/f5bc403510ab2a837ba4b2115ea4c94cf51e9dea/docs/ubuntu-installation-guide.md [fedora]: https://github.com/clearcontainers/runtime/blob/f5bc403510ab2a837ba4b2115ea4c94cf51e9dea/docs/fedora-installation-guide.md [developers]: https://github.com/clearcontainers/runtime/blob/f5bc403510ab2a837ba4b2115ea4c94cf51e9dea/docs/developers-clear-containers-install.md Fixes clearcontainers#640 Signed-off-by: Jose Carlos Venegas Munoz <[email protected]>

jcvenegas mentioned this issue Aug 11, 2017

docs : Automate release notes #410

Merged

jcvenegas mentioned this issue Sep 27, 2017

Release 3.0.1 #641

Merged

This was referenced Oct 4, 2017

release: 3.0.2 #675

Merged

Release 3.0.3 #715

Merged

This was referenced Oct 18, 2017

Release: 3.0.4 #742

Merged

release: 3.0.5 #751

Merged

jcvenegas mentioned this issue Nov 1, 2017

Release 3.0.6 #784

Merged

jcvenegas mentioned this issue Nov 15, 2017

Release 3.0.8 #814

Merged

mcastelino mentioned this issue Nov 17, 2017

Default capabilities: runc drops CAPs by default. cc-runtime/agent should do the same #818

Closed

This was referenced Nov 29, 2017

Release 3.0.9 #838

Merged

Release: Clear Containers 3.0.10 #844

Merged

jcvenegas mentioned this issue Dec 13, 2017

Release: Clear Containers 3.0.11 #860

Merged

jcvenegas mentioned this issue Dec 21, 2017

Release 3.0.12 #875

Merged

jcvenegas mentioned this issue Jan 4, 2018

# Release 3.0.13 #895

Merged

jcvenegas mentioned this issue Jan 18, 2018

release: Clear Containers 3.0.14 #937

Merged

egernst closed this as completed Jan 23, 2018

jcvenegas mentioned this issue Jan 24, 2018

# Release 3.0.15 #959

Merged

jcvenegas mentioned this issue Jan 31, 2018

# Release 3.0.16 #978

Merged

This was referenced Feb 7, 2018

# Release 3.0.17 #996

Merged

# Release 3.0.18 #1007

Merged

erick0z mentioned this issue Feb 21, 2018

# Release 3.0.19 #1021

Merged

This was referenced Feb 28, 2018

# Release 3.0.20 #1038

Merged

# Release 3.0.21 #1051

Merged

jcvenegas mentioned this issue Mar 15, 2018

# Release 3.0.22 #1078

Merged

jcvenegas mentioned this issue Mar 28, 2018

# Release 3.0.23 #1084

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Evaluate use of capabilities in executables #51

Evaluate use of capabilities in executables #51

grahamwhaley commented Feb 20, 2017

Evaluate use of capabilities in executables #51

Evaluate use of capabilities in executables #51

Comments

grahamwhaley commented Feb 20, 2017