Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: add support to add and drop linux capabilities #1702

Merged
merged 3 commits into from
Jan 10, 2025
Merged

feat: add support to add and drop linux capabilities #1702

merged 3 commits into from
Jan 10, 2025

Conversation

maxgio92
Copy link
Contributor

@maxgio92 maxgio92 commented Dec 13, 2024
edited
Loading

This PR adds the configuration to add and drop Linux capabilies to the container for bubblewrap and docker runners, enabling a declarative way to do least privilege. The capabilities added or dropped are relative to the minimum set of capabilities Docker sets. They are applied to all both build and test pipelines.

Furthermore, the minimum set of process capabilities in Bubblewrap container is now the same of Docker default capabilities, to improve result consistency.

Fixes #1703

Melange Pull Request Template

Functional Changes

  • This change can build all of Wolfi without errors (describe results in notes)

Notes:

SCA Changes

  • Examining several representative APKs show no regression / the desired effect (details in notes)

Notes:

Linter

  • The new check is clean across Wolfi
  • The new check is opt-in or a warning

Notes:

maxgio92
maxgio92 commented Dec 13, 2024
View reviewed changes
go.mod
@@ -25,6 +25,7 @@ require (
github.com/klauspost/compress v1.17.11
github.com/klauspost/pgzip v1.2.6
github.com/kubescape/go-git-url v0.0.30
github.com/moby/moby v27.4.0+incompatible
Copy link
Contributor Author

@maxgio92 maxgio92 Dec 13, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is the cost of tracking and aligning to Docker default capabilities.

maxgio92
maxgio92 commented Dec 13, 2024
View reviewed changes
pkg/container/config.go Outdated Show resolved Hide resolved
jonjohnsonjr
jonjohnsonjr reviewed Dec 18, 2024
View reviewed changes
pkg/config/config.go Outdated Show resolved Hide resolved
@maxgio92 maxgio92 force-pushed the cap-add-drop branch 4 times, most recently from 449ec12 to a19c214 Compare December 19, 2024 08:29
@maxgio92
feat: add support to add and drop linux capabilities
8e46080 
This commit adds the configuration to add and drop
Linux capabilies to the container for bubblewrap and docker
runners, enabling a declarative way to do least privilege
at both build and test time. Furthermore, the minimum set
of process capabilities in Bubblewrap container is now
the same of Docker default capabilities.

Signed-off-by: Massimiliano Giovagnoli <[email protected]>
@maxgio92 maxgio92 changed the title feat: add support for adding linux capabilities feat: add support to add and drop linux capabilities Dec 19, 2024
@maxgio92 maxgio92 requested a review from jonjohnsonjr January 8, 2025 11:13
philroche
philroche approved these changes Jan 10, 2025
View reviewed changes
Copy link
Member

@philroche philroche left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you. This will unblock many confusing local package build failures we see in sustaining where we end up doing a docker/bubblewrap/sudo dance to try get a successful build.

@maxgio92 maxgio92 merged commit 1c0002b into chainguard-dev:main Jan 10, 2025
36 checks passed
@maxgio92 maxgio92 deleted the cap-add-drop branch January 10, 2025 11:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@89luca89 89luca89 89luca89 approved these changes

@philroche philroche philroche approved these changes

@jonjohnsonjr jonjohnsonjr Awaiting requested review from jonjohnsonjr

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Feature request: add support for adding linux capabilities
4 participants
@maxgio92 @philroche @89luca89 @jonjohnsonjr