Set no-new-privileges security option on container if flag is set

author: Valerij Fredriksen <valerijf@verizonmedia.com> 2020-03-04 11:04:49 +0100
committer: Valerij Fredriksen <valerijf@verizonmedia.com> 2020-03-04 11:04:49 +0100
commit: 734fe0e9a6efb5a8d6174d9313fbcca0b4c64cfb (patch)
tree: 72e02e240a0c34c3a20f82a05c2e77723ab879d7 /node-admin
parent: b25f86aec251643031cb760bfa810318f177daba (diff)
1 files changed, 13 insertions, 0 deletions
diff --git a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/docker/DockerOperationsImpl.java b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/docker/DockerOperationsImpl.java
index 7e3e17701b7..8549d1bbe9a 100644
--- a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/docker/DockerOperationsImpl.java
+++ b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/docker/DockerOperationsImpl.java
@@ -2,11 +2,15 @@
 package com.yahoo.vespa.hosted.node.admin.docker;
 
 import com.google.common.net.InetAddresses;
+import com.yahoo.config.provision.ApplicationId;
 import com.yahoo.config.provision.DockerImage;
 import com.yahoo.config.provision.HostName;
 import com.yahoo.config.provision.NodeType;
 import com.yahoo.config.provision.SystemName;
+import com.yahoo.vespa.flags.BooleanFlag;
+import com.yahoo.vespa.flags.FetchVector;
 import com.yahoo.vespa.flags.FlagSource;
+import com.yahoo.vespa.flags.Flags;
 import com.yahoo.vespa.hosted.dockerapi.Container;
 import com.yahoo.vespa.hosted.dockerapi.ContainerResources;
 import com.yahoo.vespa.hosted.dockerapi.ContainerStats;
@@ -50,11 +54,13 @@ public class DockerOperationsImpl implements DockerOperations {
     private final Docker docker;
     private final Terminal terminal;
     private final IPAddresses ipAddresses;
+    private final BooleanFlag noNewPrivilegesFlag;
 
     public DockerOperationsImpl(Docker docker, Terminal terminal, IPAddresses ipAddresses, FlagSource flagSource) {
         this.docker = docker;
         this.terminal = terminal;
         this.ipAddresses = ipAddresses;
+        this.noNewPrivilegesFlag = Flags.RESTRICT_ACQUIRING_NEW_PRIVILEGES.bindTo(flagSource);
     }
 
     @Override
@@ -84,6 +90,13 @@ public class DockerOperationsImpl implements DockerOperations {
                 .withAddCapability("SYS_ADMIN")  // Needed for perf
                 .withAddCapability("SYS_NICE");  // Needed for set_mempolicy to work
 
+        boolean noNewPrivileges = noNewPrivilegesFlag
+                .with(FetchVector.Dimension.HOSTNAME, context.hostname().value())
+                .with(FetchVector.Dimension.APPLICATION_ID, context.node().owner().map(ApplicationId::serializedForm).orElse(null))
+                .value();
+        if (noNewPrivileges)
+            command.withSecurityOpt("no-new-privileges");
+
         if (context.node().membership().map(NodeMembership::clusterType).map("content"::equalsIgnoreCase).orElse(false))
             command.withSecurityOpt("seccomp=unconfined");
author	Valerij Fredriksen <valerijf@verizonmedia.com>	2020-03-04 11:04:49 +0100
committer	Valerij Fredriksen <valerijf@verizonmedia.com>	2020-03-04 11:04:49 +0100
commit	734fe0e9a6efb5a8d6174d9313fbcca0b4c64cfb (patch)
tree	72e02e240a0c34c3a20f82a05c2e77723ab879d7 /node-admin
parent	b25f86aec251643031cb760bfa810318f177daba (diff)