feat(endpoint): relocate docker security settings (#4657)

* feat(endpoint): migrate security settings to endpoint * feat(endpoint): check for specific endpoint settings * feat(endpoint): check security settings * feat(docker): add config page * feat(endpoint): save settings page * feat(endpoints): disable features when not agent * feat(sidebar): hide docker settings for regular user * fix(docker): small fixes in configs * fix(volumes): hide browse button for non admins * refactor(docker): introduce switch component * refactor(components/switch): seprate label from switch * feat(app/components): align switch label * refactor(app/components): move switch css * fix(docker/settings): add ngijnect * feat(endpoints): set default security values * style(portainer): sort types * fix(endpoint): rename security heading * fix(endpoints): update endpoints settings
2025-07-24 07:49:41 +02:00 · 2021-02-09 10:09:06 +02:00 · 2021-02-09 10:09:06 +02:00 · 46dec01fe3
commit 46dec01fe3
parent e401724d43
46 changed files with 714 additions and 461 deletions
--- a/api/http/proxy/factory/docker/containers.go
+++ b/api/http/proxy/factory/docker/containers.go
@ -9,7 +9,7 @@ import (
 	"net/http"

 	"github.com/docker/docker/client"
-	"github.com/portainer/portainer/api"
+	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/http/proxy/factory/responseutils"
 	"github.com/portainer/portainer/api/http/security"
 	"github.com/portainer/portainer/api/internal/authorization"
@ -181,7 +181,7 @@ func (transport *Transport) decorateContainerCreationOperation(request *http.Req
 	}

 	if !isAdminOrEndpointAdmin {
-		settings, err := transport.dataStore.Settings().Settings()
+		securitySettings, err := transport.fetchEndpointSecuritySettings()
 		if err != nil {
 			return nil, err
 		}
@ -197,23 +197,23 @@ func (transport *Transport) decorateContainerCreationOperation(request *http.Req
 			return nil, err
 		}

-		if !settings.AllowPrivilegedModeForRegularUsers && partialContainer.HostConfig.Privileged {
+		if !securitySettings.AllowPrivilegedModeForRegularUsers && partialContainer.HostConfig.Privileged {
 			return forbiddenResponse, errors.New("forbidden to use privileged mode")
 		}

-		if !settings.AllowHostNamespaceForRegularUsers && partialContainer.HostConfig.PidMode == "host" {
+		if !securitySettings.AllowHostNamespaceForRegularUsers && partialContainer.HostConfig.PidMode == "host" {
 			return forbiddenResponse, errors.New("forbidden to use pid host namespace")
 		}

-		if !settings.AllowDeviceMappingForRegularUsers && len(partialContainer.HostConfig.Devices) > 0 {
+		if !securitySettings.AllowDeviceMappingForRegularUsers && len(partialContainer.HostConfig.Devices) > 0 {
 			return forbiddenResponse, errors.New("forbidden to use device mapping")
 		}

-		if !settings.AllowContainerCapabilitiesForRegularUsers && (len(partialContainer.HostConfig.CapAdd) > 0 || len(partialContainer.HostConfig.CapDrop) > 0) {
+		if !securitySettings.AllowContainerCapabilitiesForRegularUsers && (len(partialContainer.HostConfig.CapAdd) > 0 || len(partialContainer.HostConfig.CapDrop) > 0) {
 			return nil, errors.New("forbidden to use container capabilities")
 		}

-		if !settings.AllowBindMountsForRegularUsers && (len(partialContainer.HostConfig.Binds) > 0) {
+		if !securitySettings.AllowBindMountsForRegularUsers && (len(partialContainer.HostConfig.Binds) > 0) {
 			return forbiddenResponse, errors.New("forbidden to use bind mounts")
 		}