feat(containers): Prevent non-admin users from running containers using the host namespace pid (#4098)

* feat(containers): prevent non-admin users from running containers using the host namespace pid (#3970) * feat(containers): Prevent non-admin users from running containers using the host namespace pid * feat(containers): add rbac check for swarm stack too * feat(containers): remove forgotten conflict * feat(containers): init EnableHostNamespaceUse to true and return 403 on forbidden action * feat(containers): change enableHostNamespaceUse to restrictHostNamespaceUse in html * feat(settings): rename EnableHostNamespaceUse to AllowHostNamespaceForRegularUsers * feat(database): trigger migration for AllowHostNamespace * feat(containers): check container creation authorization Co-authored-by: Maxime Bajeux <max.bajeux@gmail.com>
2025-08-08 23:35:31 +02:00 · 2020-07-25 02:14:46 +03:00 · 2020-07-25 02:14:46 +03:00 · adf33385ce
commit adf33385ce
parent e78aaec558
12 changed files with 72 additions and 21 deletions
--- a/app/portainer/models/settings.js
+++ b/app/portainer/models/settings.js
@ -13,6 +13,7 @@ export function SettingsViewModel(data) {
  this.EdgeAgentCheckinInterval = data.EdgeAgentCheckinInterval;
  this.EnableEdgeComputeFeatures = data.EnableEdgeComputeFeatures;
  this.UserSessionTimeout = data.UserSessionTimeout;
+  this.AllowHostNamespaceForRegularUsers = data.AllowHostNamespaceForRegularUsers;
 }

 export function PublicSettingsViewModel(settings) {
--- a/app/portainer/services/stateManager.js
+++ b/app/portainer/services/stateManager.js
@ -76,6 +76,11 @@ angular.module('portainer.app').factory('StateManager', [
      LocalStorage.storeApplicationState(state.application);
    };

+    manager.updateAllowHostNamespaceForRegularUsers = function (allowHostNamespaceForRegularUsers) {
+      state.application.allowHostNamespaceForRegularUsers = allowHostNamespaceForRegularUsers;
+      LocalStorage.storeApplicationState(state.application);
+    };
+
    function assignStateFromStatusAndSettings(status, settings) {
      state.application.analytics = status.Analytics;
      state.application.version = status.Version;
--- a/app/portainer/views/settings/settings.html
+++ b/app/portainer/views/settings/settings.html
@ -108,6 +108,17 @@
              </label>
            </div>
          </div>
+          <div class="form-group">
+            <div class="col-sm-12">
+              <label for="toggle_allowHostNamespaceForRegularUsers" class="control-label text-left">
+                Disable the use of host PID 1 for non-administrators
+                <portainer-tooltip position="bottom" message="Prevent users from accessing the host filesystem through the host PID namespace."></portainer-tooltip>
+              </label>
+              <label class="switch" style="margin-left: 20px;">
+                <input type="checkbox" name="toggle_allowHostNamespaceForRegularUsers" ng-model="formValues.restrictHostNamespaceForRegularUsers" /><i></i>
+              </label>
+            </div>
+          </div>
          <!-- !security -->
          <!-- edge -->
          <div class="col-sm-12 form-section-title">
--- a/app/portainer/views/settings/settingsController.js
+++ b/app/portainer/views/settings/settingsController.js
@ -32,6 +32,7 @@ angular.module('portainer.app').controller('SettingsController', [
      enableHostManagementFeatures: false,
      enableVolumeBrowser: false,
      enableEdgeComputeFeatures: false,
+      restrictHostNamespaceForRegularUsers: false,
    };

    $scope.removeFilteredContainerLabel = function (index) {
@ -64,6 +65,7 @@ angular.module('portainer.app').controller('SettingsController', [
      settings.AllowVolumeBrowserForRegularUsers = $scope.formValues.enableVolumeBrowser;
      settings.EnableHostManagementFeatures = $scope.formValues.enableHostManagementFeatures;
      settings.EnableEdgeComputeFeatures = $scope.formValues.enableEdgeComputeFeatures;
+      settings.AllowHostNamespaceForRegularUsers = !$scope.formValues.restrictHostNamespaceForRegularUsers;

      $scope.state.actionInProgress = true;
      updateSettings(settings);
@ -77,6 +79,7 @@ angular.module('portainer.app').controller('SettingsController', [
          StateManager.updateSnapshotInterval(settings.SnapshotInterval);
          StateManager.updateEnableHostManagementFeatures(settings.EnableHostManagementFeatures);
          StateManager.updateEnableVolumeBrowserForNonAdminUsers(settings.AllowVolumeBrowserForRegularUsers);
+          StateManager.updateAllowHostNamespaceForRegularUsers(settings.AllowHostNamespaceForRegularUsers);
          StateManager.updateEnableEdgeComputeFeatures(settings.EnableEdgeComputeFeatures);
          $state.reload();
        })
@ -102,6 +105,7 @@ angular.module('portainer.app').controller('SettingsController', [
          $scope.formValues.enableVolumeBrowser = settings.AllowVolumeBrowserForRegularUsers;
          $scope.formValues.enableHostManagementFeatures = settings.EnableHostManagementFeatures;
          $scope.formValues.enableEdgeComputeFeatures = settings.EnableEdgeComputeFeatures;
+          $scope.formValues.restrictHostNamespaceForRegularUsers = !settings.AllowHostNamespaceForRegularUsers;
        })
        .catch(function error(err) {
          Notifications.error('Failure', err, 'Unable to retrieve application settings');