feat(containers): Prevent non-admin users from running containers using the host namespace pid (#4098)

* feat(containers): prevent non-admin users from running containers using the host namespace pid (#3970)

* feat(containers): Prevent non-admin users from running containers using the host namespace pid

* feat(containers): add rbac check for swarm stack too

* feat(containers): remove forgotten conflict

* feat(containers): init EnableHostNamespaceUse to true and return 403 on forbidden action

* feat(containers): change enableHostNamespaceUse to restrictHostNamespaceUse in html

* feat(settings): rename EnableHostNamespaceUse to AllowHostNamespaceForRegularUsers

* feat(database): trigger migration for AllowHostNamespace

* feat(containers): check container creation authorization

Co-authored-by: Maxime Bajeux <max.bajeux@gmail.com>

api/bolt/init.go

@@ -28,6 +28,7 @@ func (store *Store) Init() error {
 			AllowBindMountsForRegularUsers:     true,
 			AllowPrivilegedModeForRegularUsers: true,
 			AllowVolumeBrowserForRegularUsers:  false,
+			AllowHostNamespaceForRegularUsers:  true,
 			EnableHostManagementFeatures:       false,
 			EdgeAgentCheckinInterval:           portainer.DefaultEdgeAgentCheckinIntervalInSeconds,
 			TemplatesURL:                       portainer.DefaultTemplatesURL,

api/bolt/migrator/migrate_dbversion23.go

@@ -1,6 +1,12 @@
 package migrator
 
 func (m *Migrator) updateSettingsToDB24() error {
-	// Placeholder for 1.24.1 backports
-	return nil
+	legacySettings, err := m.settingsService.Settings()
+	if err != nil {
+		return err
+	}
+
+	legacySettings.AllowHostNamespaceForRegularUsers = true
+
+	return m.settingsService.UpdateSettings(legacySettings)
 }

api/http/handler/settings/settings_public.go

@@ -18,6 +18,7 @@ type publicSettingsResponse struct {
 	EnableHostManagementFeatures       bool                           `json:"EnableHostManagementFeatures"`
 	EnableEdgeComputeFeatures          bool                           `json:"EnableEdgeComputeFeatures"`
 	OAuthLoginURI                      string                         `json:"OAuthLoginURI"`
+	AllowHostNamespaceForRegularUsers  bool                           `json:"AllowHostNamespaceForRegularUsers"`
 }
 
 // GET request on /api/settings/public
@@ -33,6 +34,7 @@ func (handler *Handler) settingsPublic(w http.ResponseWriter, r *http.Request) *
 		AllowBindMountsForRegularUsers:     settings.AllowBindMountsForRegularUsers,
 		AllowPrivilegedModeForRegularUsers: settings.AllowPrivilegedModeForRegularUsers,
 		AllowVolumeBrowserForRegularUsers:  settings.AllowVolumeBrowserForRegularUsers,
+		AllowHostNamespaceForRegularUsers:  settings.AllowHostNamespaceForRegularUsers,
 		EnableHostManagementFeatures:       settings.EnableHostManagementFeatures,
 		EnableEdgeComputeFeatures:          settings.EnableEdgeComputeFeatures,
 		OAuthLoginURI: fmt.Sprintf("%s?response_type=code&client_id=%s&redirect_uri=%s&scope=%s&prompt=login",

api/http/handler/settings/settings_update.go

@@ -22,6 +22,7 @@ type settingsUpdatePayload struct {
 	OAuthSettings                      *portainer.OAuthSettings
 	AllowBindMountsForRegularUsers     *bool
 	AllowPrivilegedModeForRegularUsers *bool
+	AllowHostNamespaceForRegularUsers  *bool
 	AllowVolumeBrowserForRegularUsers  *bool
 	EnableHostManagementFeatures       *bool
 	SnapshotInterval                   *string
@@ -125,6 +126,10 @@ func (handler *Handler) settingsUpdate(w http.ResponseWriter, r *http.Request) *
 		settings.EnableEdgeComputeFeatures = *payload.EnableEdgeComputeFeatures
 	}
 
+	if payload.AllowHostNamespaceForRegularUsers != nil {
+		settings.AllowHostNamespaceForRegularUsers = *payload.AllowHostNamespaceForRegularUsers
+	}
+
 	if payload.SnapshotInterval != nil && *payload.SnapshotInterval != settings.SnapshotInterval {
 		err := handler.updateSnapshotInterval(settings, *payload.SnapshotInterval)
 		if err != nil {

api/http/handler/stacks/create_compose_stack.go

@@ -336,7 +336,11 @@ func (handler *Handler) deployComposeStack(config *composeStackDeploymentConfig)
 		return err
 	}
 
-	if (!settings.AllowBindMountsForRegularUsers || !settings.AllowPrivilegedModeForRegularUsers) && !isAdminOrEndpointAdmin {
+	if (!settings.AllowBindMountsForRegularUsers ||
+		!settings.AllowPrivilegedModeForRegularUsers ||
+		!settings.AllowHostNamespaceForRegularUsers) &&
+		!isAdminOrEndpointAdmin {
+
 		composeFilePath := path.Join(config.stack.ProjectPath, config.stack.EntryPoint)
 
 		stackContent, err := handler.FileService.GetFileContent(composeFilePath)

api/http/handler/stacks/stack_create.go

@@ -142,6 +142,10 @@ func (handler *Handler) isValidStackFile(stackFileContent []byte, settings *port
 		if !settings.AllowPrivilegedModeForRegularUsers && service.Privileged == true {
 			return errors.New("privileged mode disabled for non administrator users")
 		}
+
+		if !settings.AllowHostNamespaceForRegularUsers && service.Pid == "host" {
+			return errors.New("pid host disabled for non administrator users")
+		}
 	}
 
 	return nil

api/http/proxy/factory/docker/containers.go

@@ -158,10 +158,15 @@ func containerHasBlackListedLabel(containerLabels map[string]interface{}, labelB
 func (transport *Transport) decorateContainerCreationOperation(request *http.Request, resourceIdentifierAttribute string, resourceType portainer.ResourceControlType) (*http.Response, error) {
 	type PartialContainer struct {
 		HostConfig struct {
-			Privileged bool `json:"Privileged"`
+			Privileged bool   `json:"Privileged"`
+			PidMode    string `json:"PidMode"`
 		} `json:"HostConfig"`
 	}
 
+	forbiddenResponse := &http.Response{
+		StatusCode: http.StatusForbidden,
+	}
+
 	tokenData, err := security.RetrieveTokenData(request)
 	if err != nil {
 		return nil, err
@@ -189,24 +194,26 @@ func (transport *Transport) decorateContainerCreationOperation(request *http.Req
 			return nil, err
 		}
 
-		if !settings.AllowPrivilegedModeForRegularUsers {
-			body, err := ioutil.ReadAll(request.Body)
-			if err != nil {
-				return nil, err
-			}
-
-			partialContainer := &PartialContainer{}
-			err = json.Unmarshal(body, partialContainer)
-			if err != nil {
-				return nil, err
-			}
-
-			if partialContainer.HostConfig.Privileged {
-				return nil, errors.New("forbidden to use privileged mode")
-			}
-
-			request.Body = ioutil.NopCloser(bytes.NewBuffer(body))
+		body, err := ioutil.ReadAll(request.Body)
+		if err != nil {
+			return nil, err
 		}
+
+		partialContainer := &PartialContainer{}
+		err = json.Unmarshal(body, partialContainer)
+		if err != nil {
+			return nil, err
+		}
+
+		if !settings.AllowPrivilegedModeForRegularUsers && partialContainer.HostConfig.Privileged {
+			return forbiddenResponse, errors.New("forbidden to use privileged mode")
+		}
+
+		if !settings.AllowHostNamespaceForRegularUsers && partialContainer.HostConfig.PidMode == "host" {
+			return forbiddenResponse, errors.New("forbidden to use pid host namespace")
+		}
+
+		request.Body = ioutil.NopCloser(bytes.NewBuffer(body))
 	}
 
 	response, err := transport.executeDockerRequest(request)

api/portainer.go

@@ -524,6 +524,7 @@ type (
 		EdgeAgentCheckinInterval           int                  `json:"EdgeAgentCheckinInterval"`
 		EnableEdgeComputeFeatures          bool                 `json:"EnableEdgeComputeFeatures"`
 		UserSessionTimeout                 string               `json:"UserSessionTimeout"`
+		AllowHostNamespaceForRegularUsers  bool                 `json:"AllowHostNamespaceForRegularUsers"`
 
 		// Deprecated fields
 		DisplayDonationHeader       bool

app/portainer/models/settings.js

@@ -13,6 +13,7 @@ export function SettingsViewModel(data) {
   this.EdgeAgentCheckinInterval = data.EdgeAgentCheckinInterval;
   this.EnableEdgeComputeFeatures = data.EnableEdgeComputeFeatures;
   this.UserSessionTimeout = data.UserSessionTimeout;
+  this.AllowHostNamespaceForRegularUsers = data.AllowHostNamespaceForRegularUsers;
 }
 
 export function PublicSettingsViewModel(settings) {

app/portainer/services/stateManager.js

@@ -76,6 +76,11 @@ angular.module('portainer.app').factory('StateManager', [
       LocalStorage.storeApplicationState(state.application);
     };
 
+    manager.updateAllowHostNamespaceForRegularUsers = function (allowHostNamespaceForRegularUsers) {
+      state.application.allowHostNamespaceForRegularUsers = allowHostNamespaceForRegularUsers;
+      LocalStorage.storeApplicationState(state.application);
+    };
+
     function assignStateFromStatusAndSettings(status, settings) {
       state.application.analytics = status.Analytics;
       state.application.version = status.Version;

app/portainer/views/settings/settings.html

@@ -108,6 +108,17 @@
               </label>
             </div>
           </div>
+          <div class="form-group">
+            <div class="col-sm-12">
+              <label for="toggle_allowHostNamespaceForRegularUsers" class="control-label text-left">
+                Disable the use of host PID 1 for non-administrators
+                <portainer-tooltip position="bottom" message="Prevent users from accessing the host filesystem through the host PID namespace."></portainer-tooltip>
+              </label>
+              <label class="switch" style="margin-left: 20px;">
+                <input type="checkbox" name="toggle_allowHostNamespaceForRegularUsers" ng-model="formValues.restrictHostNamespaceForRegularUsers" /><i></i>
+              </label>
+            </div>
+          </div>
           <!-- !security -->
           <!-- edge -->
           <div class="col-sm-12 form-section-title">

app/portainer/views/settings/settingsController.js

@@ -32,6 +32,7 @@ angular.module('portainer.app').controller('SettingsController', [
       enableHostManagementFeatures: false,
       enableVolumeBrowser: false,
       enableEdgeComputeFeatures: false,
+      restrictHostNamespaceForRegularUsers: false,
     };
 
     $scope.removeFilteredContainerLabel = function (index) {
@@ -64,6 +65,7 @@ angular.module('portainer.app').controller('SettingsController', [
       settings.AllowVolumeBrowserForRegularUsers = $scope.formValues.enableVolumeBrowser;
       settings.EnableHostManagementFeatures = $scope.formValues.enableHostManagementFeatures;
       settings.EnableEdgeComputeFeatures = $scope.formValues.enableEdgeComputeFeatures;
+      settings.AllowHostNamespaceForRegularUsers = !$scope.formValues.restrictHostNamespaceForRegularUsers;
 
       $scope.state.actionInProgress = true;
       updateSettings(settings);
@@ -77,6 +79,7 @@ angular.module('portainer.app').controller('SettingsController', [
           StateManager.updateSnapshotInterval(settings.SnapshotInterval);
           StateManager.updateEnableHostManagementFeatures(settings.EnableHostManagementFeatures);
           StateManager.updateEnableVolumeBrowserForNonAdminUsers(settings.AllowVolumeBrowserForRegularUsers);
+          StateManager.updateAllowHostNamespaceForRegularUsers(settings.AllowHostNamespaceForRegularUsers);
           StateManager.updateEnableEdgeComputeFeatures(settings.EnableEdgeComputeFeatures);
           $state.reload();
         })
@@ -102,6 +105,7 @@ angular.module('portainer.app').controller('SettingsController', [
           $scope.formValues.enableVolumeBrowser = settings.AllowVolumeBrowserForRegularUsers;
           $scope.formValues.enableHostManagementFeatures = settings.EnableHostManagementFeatures;
           $scope.formValues.enableEdgeComputeFeatures = settings.EnableEdgeComputeFeatures;
+          $scope.formValues.restrictHostNamespaceForRegularUsers = !settings.AllowHostNamespaceForRegularUsers;
         })
         .catch(function error(err) {
           Notifications.error('Failure', err, 'Unable to retrieve application settings');