Docker/portainer
Docker/portainer
1
0
Fork 0
mirror of https://github.com/portainer/portainer.git synced 2025-07-24 15:59:41 +02:00
Code Issues Releases Activity

feat(settings): introduce setting to disable container caps for non-admins (#4109)

Browse source 
* feat(settings): introduce settings to allow/disable

* feat(settings): update the setting

* feat(docker): prevent user from using caps if disabled

* refactor(stacks): revert file

* style(api): remove portainer ns
This commit is contained in:
Chaim Lev-Ari 2020-07-28 10:08:15 +03:00 committed by GitHub
parent fec85c77d6
commit 1a3f77137a
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
14 changed files with 136 additions and 82 deletions
Download patch file Download diff file Expand all files Collapse all files

6
api/http/proxy/factory/docker/containers.go
View file

@ -161,6 +161,8 @@ func (transport *Transport) decorateContainerCreationOperation(request *http.Req
Privileged bool `json:"Privileged"`
PidMode string `json:"PidMode"`
Devices []interface{} `json:"Devices"`
CapAdd []string `json:"CapAdd"`
CapDrop []string `json:"CapDrop"`
} `json:"HostConfig"`
}
@ -220,6 +222,10 @@ func (transport *Transport) decorateContainerCreationOperation(request *http.Req
return nil, errors.New("forbidden to use device mapping")
}
if !settings.AllowContainerCapabilitiesForRegularUsers && (len(partialContainer.HostConfig.CapAdd) > 0 || len(partialContainer.HostConfig.CapDrop) > 0) {
return nil, errors.New("forbidden to use container capabilities")
}
request.Body = ioutil.NopCloser(bytes.NewBuffer(body))
}