Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[installer] manually set allowPrivilegeEscalation to false #14918

Merged
merged 1 commit into from
Dec 5, 2022
Merged

[installer] manually set allowPrivilegeEscalation to false #14918

merged 1 commit into from
Dec 5, 2022

Conversation

Pothulapati
Copy link
Contributor

@Pothulapati Pothulapati commented Nov 24, 2022
edited
Loading

Description

This PR manually sets the allowPrivilegeEscalation container config to false where
we don't need extra capabilities. Though this does not effect anything yet,
This is needed as not setting this explicitely could mean that it could still be true
based on some other settings.

This also helps us future proof on any behaviour changes around this.

This skips the following components as they need privilege access:

  • agent-smith component container
  • ws-daemon Component container
  • shiftfs container

Signed-off-by: Tarun Pothulapati tarun@gitpod.io

Related Issue(s)

Part of https://github.com/gitpod-io/security/issues/70

How to test

Tested that workspaces start correctly through a preview environment

Release Notes

[installer] manually set `allowPrivilegeEscalation` to false

Documentation

Werft options:

  • /werft with-local-preview
    If enabled this will build install/preview
  • /werft with-preview
  • /werft with-large-vm
  • /werft with-integration-tests=all
    Valid options are all, workspace, webapp, ide, jetbrains, vscode, ssh

@Pothulapati Pothulapati requested review from a team November 24, 2022 11:16
@werft-gitpod-dev-com
Copy link

started the job as gitpod-build-tar-disallow-escalation-explicitely.2 because the annotations in the pull request description changed
(with .werft/ from main)

@github-actions github-actions bot added team: SID team: IDE team: webapp Issue belongs to the WebApp team team: workspace Issue belongs to the Workspace team labels Nov 24, 2022
@Pothulapati
Copy link
Contributor Author

Pothulapati commented Nov 25, 2022
edited by werft-gitpod-dev-com bot
Loading

/hold just for some more tests 👀

@geropl
Copy link
Member

geropl commented Nov 28, 2022

@Pothulapati While I agree that this in theory should not affect anything we should definitely test thoroughly. 💯

@Pothulapati Pothulapati force-pushed the tar/disallow-escalation-explicitely branch from 7d055c9 to e932bd4 Compare November 30, 2022 06:33
@Pothulapati
Copy link
Contributor Author

Update: Manual tests are all good i.e workspaces, prebuilds, etc. Waiting on integration-tests to work. Seems to be an issue on the pipeline itself. Will update once I have something

@Pothulapati Pothulapati force-pushed the tar/disallow-escalation-explicitely branch 2 times, most recently from cb4cb2d to c84c9b3 Compare December 2, 2022 05:58
@Pothulapati
[installer] manually set allowPrivilegeEscalation to false
fc7b871 
This PR manually sets the `allowPrivilegeEscalation` container
config to false where we don't need extra capabilities. This
is needed as not setting this explicitely could mean that
it could still be `true` based on other settings.

This also helps us future proof on any behaviour changes around
this.

Signed-off-by: Tarun Pothulapati <tarun@gitpod.io>
@Pothulapati Pothulapati force-pushed the tar/disallow-escalation-explicitely branch from c84c9b3 to fc7b871 Compare December 2, 2022 09:55
@Pothulapati
Copy link
Contributor Author

Pothulapati commented Dec 2, 2022
edited by werft-gitpod-dev-com bot
Loading

Ran IDE & Workspace Integration tests separately, and they seem to pass. 👀

felladrin
felladrin approved these changes Dec 5, 2022
View reviewed changes
Copy link
Contributor

@felladrin felladrin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IDEs tested on preview environment and code reviewed. ✅

image

image

@roboquat roboquat merged commit c2eb0c1 into main Dec 5, 2022
@roboquat roboquat deleted the tar/disallow-escalation-explicitely branch December 5, 2022 09:28
@roboquat roboquat added deployed: IDE IDE change is running in production deployed: webapp Meta team change is running in production labels Dec 5, 2022
@roboquat roboquat added the deployed: workspace Workspace team change is running in production label Dec 7, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jenting jenting jenting approved these changes

@ArthurSens ArthurSens ArthurSens approved these changes

@easyCZ easyCZ easyCZ approved these changes

@felladrin felladrin felladrin approved these changes

Assignees
No one assigned
Labels
deployed: IDE IDE change is running in production deployed: webapp Meta team change is running in production deployed: workspace Workspace team change is running in production release-note size/L team: IDE team: SID team: webapp Issue belongs to the WebApp team team: workspace Issue belongs to the Workspace team
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@Pothulapati @geropl @felladrin @easyCZ @ArthurSens @jenting @roboquat