mirrors/portainer
1
0
Fork 0
mirror of https://github.com/portainer/portainer.git synced 2025-11-26 14:06:05 +08:00
Code Issues Packages Projects Releases Wiki Activity

feat(containers): Prevent non-admin users from running containers using the host namespace pid (#4098)

Browse Source 
* feat(containers): prevent non-admin users from running containers using the host namespace pid (#3970)

* feat(containers): Prevent non-admin users from running containers using the host namespace pid

* feat(containers): add rbac check for swarm stack too

* feat(containers): remove forgotten conflict

* feat(containers): init EnableHostNamespaceUse to true and return 403 on forbidden action

* feat(containers): change enableHostNamespaceUse to restrictHostNamespaceUse in html

* feat(settings): rename EnableHostNamespaceUse to AllowHostNamespaceForRegularUsers

* feat(database): trigger migration for AllowHostNamespace

* feat(containers): check container creation authorization

Co-authored-by: Maxime Bajeux <max.bajeux@gmail.com>
This commit is contained in:
Chaim Lev-Ari
2020-07-25 02:14:46 +03:00
committed by GitHub
parent e78aaec558
commit adf33385ce
12 changed files with 72 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
api/http/handler/stacks/create_compose_stack.go
View File

@@ -336,7 +336,11 @@ func (handler *Handler) deployComposeStack(config *composeStackDeploymentConfig)
return err
}
if (!settings.AllowBindMountsForRegularUsers || !settings.AllowPrivilegedModeForRegularUsers) && !isAdminOrEndpointAdmin {
if (!settings.AllowBindMountsForRegularUsers ||
!settings.AllowPrivilegedModeForRegularUsers ||
!settings.AllowHostNamespaceForRegularUsers) &&
!isAdminOrEndpointAdmin {
composeFilePath := path.Join(config.stack.ProjectPath, config.stack.EntryPoint)
stackContent, err := handler.FileService.GetFileContent(composeFilePath)