From f2ac2ac8ec3f5fdca3f6dc1ddfa50da3f994a7a8 Mon Sep 17 00:00:00 2001
From: kaiyou <dev@kaiyou.fr>
Date: Sun, 23 Oct 2022 19:46:01 +0200
Subject: [PATCH] Add required permissions and capabilities for runc

---
 pkg/selfcontain/defaults.go | 81 +++++++++++++++++++++++++++++++++++--
 1 file changed, 78 insertions(+), 3 deletions(-)

diff --git a/pkg/selfcontain/defaults.go b/pkg/selfcontain/defaults.go
index 3b1954b..b9514d4 100644
--- a/pkg/selfcontain/defaults.go
+++ b/pkg/selfcontain/defaults.go
@@ -29,6 +29,34 @@ var allowedDevices = []*devices.Device{
 			Allow:       true,
 		},
 	},
+	{
+		Path:     "/dev/zero",
+		FileMode: 0o666,
+		Uid:      0,
+		Gid:      0,
+		Rule: devices.Rule{
+			Type:        devices.CharDevice,
+			Major:       1,
+			Minor:       5,
+			Permissions: "rwm",
+			Allow:       true,
+		},
+	},
+	{
+		Path:     "/dev/urandom",
+		FileMode: 0o666,
+		Uid:      0,
+		Gid:      0,
+		Rule: devices.Rule{
+			Type:        devices.CharDevice,
+			Major:       1,
+			Minor:       9,
+			Permissions: "rwm",
+			Allow:       true,
+		},
+	},
+	// Required by kubelet and other kubernetes related downstream
+	// processes
 	{
 		Path:     "/dev/kmsg",
 		FileMode: 0o666,
@@ -42,6 +70,8 @@ var allowedDevices = []*devices.Device{
 			Allow:       true,
 		},
 	},
+	// Required by many downstream processes, including anything
+	// like an http client which does tls
 	{
 		Path:     "/dev/random",
 		FileMode: 0o666,
@@ -55,6 +85,34 @@ var allowedDevices = []*devices.Device{
 			Allow:       true,
 		},
 	},
+	// Required by downstream runc for mounting
+	{
+		Path:     "/dev/full",
+		FileMode: 0o666,
+		Uid:      0,
+		Gid:      0,
+		Rule: devices.Rule{
+			Type:        devices.CharDevice,
+			Major:       1,
+			Minor:       7,
+			Permissions: "rw",
+			Allow:       true,
+		},
+	},
+	// Required by downstream containers for mounting a tty
+	{
+		Path:     "/dev/tty",
+		FileMode: 0o666,
+		Uid:      0,
+		Gid:      0,
+		Rule: devices.Rule{
+			Type:        devices.CharDevice,
+			Major:       5,
+			Minor:       0,
+			Permissions: "rw",
+			Allow:       true,
+		},
+	},
 }
 
 // These path will be mounted as a default base inside the container
@@ -114,9 +172,26 @@ var capabilities = []string{
 	"CAP_NET_ADMIN",
 	// Required for raw sockets, including ICMP
 	"CAP_NET_RAW",
-  // Required for unpacking archives and images
-  "CAP_CHOWN",
-  "CAP_DAC_OVERRIDE",
+	// Required for unpacking archives and images
+	"CAP_CHOWN",
+	"CAP_DAC_OVERRIDE",
+	// Required for adjusting oom score by runc
+	"CAP_SYS_RESOURCE",
+	// Required for setting uid and gid by runc
+	"CAP_SETUID",
+	"CAP_SETGID",
+	// Added temporarily to accomodate runc capabilities
+	"CAP_FOWNER",
+	"CAP_FSETID",
+	"CAP_KILL",
+	"CAP_SETPCAP",
+	"CAP_NET_BIND_SERVICE",
+	"CAP_NET_RAW",
+	"CAP_SYS_CHROOT",
+	"CAP_MKNOD",
+	"CAP_AUDIT_WRITE",
+	"CAP_SETFCAP",
+	"CAP_FSETID",
 }
 
 // These networks will be setup as a default base inside the container
-- 
GitLab