fix(supervisor): drop sandbox child capability bounding set#2001
Conversation
alangou
requested review from
a team,
derekwaynecarr,
maxamillion and
mrunalp
as code owners
elezar
left a comment
elezar
left a comment
There was a problem hiding this comment.
A codex-assisted review:
I think this still fails closed incorrectly for the Podman path. drop_capability_bounding_set() returns Ok(()) when CAP_SETPCAP is
not effective, and also when the first PR_CAPBSET_DROP returns EPERM. But the Podman driver currently drops SETPCAP from the
supervisor container, so that path leaves the child bounding set unchanged while still spawning the workload/connect shell.
Could we either keep SETPCAP available to the supervisor until child setup, or fail the spawn when the bounding set cannot be cleared
and is still nonempty? This may also be a good place to use capctl rather than custom /proc parsing and raw prctl;
capctl::caps::bounding::clear() plus an explicit “EPERM is only OK if the bounding set is already empty” check would make the invariant
clearer.
The current regression test skips when CAP_SETPCAP is unavailable, so it would not catch the Podman-relevant failure mode.
+1. Seems like different drivers can do different drops on their own which would impact this common code that runs driver-agnostically. |
alangou
force-pushed
the
alangou/os-173-high-docker-sandboxes-run-as-root-with-sys_admin-and
branch
3 times, most recently
from
0c0c87e to
b629752
Compare
|
@johntmyers @elezar I have implemented the requested changes |
alangou
force-pushed
the
alangou/os-173-high-docker-sandboxes-run-as-root-with-sys_admin-and
branch
from
b629752 to
6acb0bc
Compare
|
looks good @alangou - will need to update the README for openshell-driver-podman as it still mentions SETPCAP is dropped |
Reduce the Linux capability bounding set in the common privilege-drop path before executing sandbox workloads or connect shells and use capctl Signed-off-by: Adrien Langou <alangou@nvidia.com>
alangou
force-pushed
the
alangou/os-173-high-docker-sandboxes-run-as-root-with-sys_admin-and
branch
from
6acb0bc to
b0bb43b
Compare
|
@johntmyers the readme is updated (auto-merge is enable) |
|
Label |
alangou
deleted the
alangou/os-173-high-docker-sandboxes-run-as-root-with-sys_admin-and
branch
The OpenShell gateway defaults to pulling ghcr.io/nvidia/openshell/supervisor:latest for the sandbox supervisor binary. When NVIDIA released v0.0.73 (2026-06-30 15:31 UTC), the :latest tag was re-pointed to a supervisor that drops the Linux capability bounding set (NVIDIA/OpenShell#2001), which crashes with EINVAL in rootless Podman on GitHub Actions runners. Write a gateway.toml that pins supervisor_image to the version from openshell-version.sh so the supervisor always matches the installed gateway and is immune to upstream :latest tag changes. Fixes fullsend-ai#2792 Assisted-by: Claude (investigation, fix) Signed-off-by: Wayne Sun <gsun@redhat.com>
3 participants
Summary
Drop the Linux capability bounding set in the common sandbox child privilege-drop path so workloads and
openshell connectshells cannot regain container-granted capabilities after exec.Related Issue
Closes #1452
Changes
drop_privileges()afterinitgroups/setgidand beforesetuid.0..=cap_last_cap, withCAP_SETPCAPdropped last and a graceful fallback whenCAP_SETPCAPis unavailable.architecture/sandbox.md.Testing
mise run pre-commitpassesAdditional checks run:
mise run fmt && mise run e2e && mise run e2e:kubernetes && mise run e2e:dockercargo test -p openshell-supervisor-process --lib process::tests -- --nocapturecargo test -p openshell-supervisor-process --lib ssh::tests::pre_exec_always_calls_drop_privileges -- --nocaptureChecklist