Add capabilities to artifacts #815
Conversation
There was a problem hiding this comment.
Pull Request Overview
This PR adds support for setting POSIX capabilities on artifacts in Dalec package specifications. This feature enables binaries to have specific Linux capabilities (like cap_net_raw) without requiring privilege escalation, which is useful in restricted security contexts.
Key changes:
- Added
Capabilitiesfield toArtifactConfigstruct for specifying capability strings - Implemented capability setting in both RPM and DEB packaging backends using
setcapcommands - Added integration test verifying capability setting works end-to-end
Reviewed Changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| artifacts.go | Added Capabilities field to ArtifactConfig struct with documentation |
| docs/spec.schema.json | Updated JSON schema to include the new capabilities field |
| packaging/linux/rpm/template.go | Implemented getArtifactCapabilities() to generate setcap commands in RPM %post scriptlet |
| packaging/linux/deb/debroot.go | Implemented setArtifactCapabilitiesPostInst() to generate setcap commands in DEB postinst script |
| test/linux_target_test.go | Added testArtifactCapabilities integration test that verifies capability setting on a binary |
packaging/linux/deb/debroot.go
Outdated
| apply(artifacts.ConfigFiles, ConfigFilesPath) | ||
| apply(artifacts.Manpages, filepath.Join(ManpagesPath, spec.Name)) | ||
| apply(artifacts.Headers, HeadersPath) | ||
| apply(artifacts.Licenses, filepath.Join(LicensesPath, spec.Name)) |
There was a problem hiding this comment.
I think copilot is right about not needing to set something like "capabilities" on non-binaries.
There was a problem hiding this comment.
its a little weird, but you could say the same thing about making files here executable, and that's perfectly allowed. So it seems inconsistent to be able to make a license or manpage executable, but not give it any capabilities
There was a problem hiding this comment.
You could make the argument the other way around though, caps are only relevant to actual binaries while permissions are relevant to everything. Up to you, I don't feel strongly
There was a problem hiding this comment.
The undocumented macro for RPM just lands in the files section. I think this is ok, document that it isn;t supported?
Stevenjin8
force-pushed
the
feature/artifact-caps
branch
2 times, most recently
from
c2896eb to
9776fc9
Compare
packaging/linux/deb/debroot.go
Outdated
| } | ||
| resolved := cfg.ResolveName(key) | ||
| p := filepath.Join(root, cfg.SubPath, resolved) | ||
| fmt.Fprintf(w, "setcap %s \"$DESTDIR%s\"\n", cfg.Capabilities, p) |
There was a problem hiding this comment.
can we do this with the RPM macro?
There was a problem hiding this comment.
see other comment
Stevenjin8
force-pushed
the
feature/artifact-caps
branch
from
3f3d1e8 to
8fb567c
Compare
Stevenjin8
force-pushed
the
feature/artifact-caps
branch
2 times, most recently
from
331e0ac to
63a5a68
Compare
Stevenjin8
force-pushed
the
feature/artifact-caps
branch
from
226d13c to
ef7af3a
Compare
artifacts.go
Outdated
| // Group is the group name that should own the artifact | ||
| Group string `yaml:"group,omitempty" json:"group,omitempty"` | ||
| // Capabilities is the list of POSIX capabilities to set on the artifact | ||
| Capabilities []ArtifactCapability `yaml:"capabilities,omitempty" json:"capabilities,omitempty"` |
There was a problem hiding this comment.
I swear I fixed this
Stevenjin8
force-pushed
the
feature/artifact-caps
branch
from
5596177 to
2b546b7
Compare
Stevenjin8
force-pushed
the
feature/artifact-caps
branch
from
a310dee to
dbcc92c
Compare
Stevenjin8
force-pushed
the
feature/artifact-caps
branch
from
049ba54 to
2b88f81
Compare
|
Needs a |
Stevenjin8
temporarily deployed
to
deploy-docs
GitHub Actions
Inactive
Stevenjin8
force-pushed
the
feature/artifact-caps
branch
from
bc4ec94 to
429459e
Compare
Stevenjin8
temporarily deployed
to
deploy-docs
GitHub Actions
Inactive
Signed-off-by: Steven Jin Xuan <[email protected]>
Signed-off-by: Steven Jin Xuan <[email protected]>
Signed-off-by: Steven Jin Xuan <[email protected]>
Signed-off-by: Steven Jin Xuan <[email protected]>
Signed-off-by: Steven Jin Xuan <[email protected]>
Co-authored-by: Copilot <[email protected]> Signed-off-by: Steven Jin <[email protected]>
Signed-off-by: Steven Jin Xuan <[email protected]>
Signed-off-by: Steven Jin Xuan <[email protected]>
Signed-off-by: Steven Jin Xuan <[email protected]>
Signed-off-by: Steven Jin Xuan <[email protected]>
Signed-off-by: Steven Jin Xuan <[email protected]>
Signed-off-by: Steven Jin Xuan <[email protected]>
Signed-off-by: Steven Jin Xuan <[email protected]>
Signed-off-by: Steven Jin Xuan <[email protected]>
Signed-off-by: Steven Jin Xuan <[email protected]>
Signed-off-by: Steven Jin Xuan <[email protected]>
Signed-off-by: Steven Jin Xuan <[email protected]>
Signed-off-by: Steven Jin Xuan <[email protected]>
Signed-off-by: Steven Jin Xuan <[email protected]>
Stevenjin8
force-pushed
the
feature/artifact-caps
branch
from
429459e to
d4a7096
Compare
cpuguy83
left a comment
cpuguy83
left a comment
There was a problem hiding this comment.
Seems to be missing the last change to swtich to linux_capabilities
Signed-off-by: Steven Jin Xuan <[email protected]>
Stevenjin8
force-pushed
the
feature/artifact-caps
branch
from
fc7be1e to
350425a
Compare
Signed-off-by: Steven Jin Xuan <[email protected]>
Stevenjin8
force-pushed
the
feature/artifact-caps
branch
from
d2dbb2e to
f70fba5
Compare
4 participants
What this PR does / why we need it:
This allows for setting capabilities for binaries in artifacts. This is helpful in contexts that do not allow for privilege escalation.
Which issue(s) this PR fixes (optional, using
fixes #<issue number>(, fixes #<issue_number>, ...)format, will close the issue(s) when the PR gets merged):Fixes #
Special notes for your reviewer: