From 0c8f5c7ef0965c184e2c6e50650dd7718e3cd1b7 Mon Sep 17 00:00:00 2001
From: Christian Kellner <christian@kellner.me>
Date: Tue, 26 Apr 2022 18:59:18 +0200
Subject: [PATCH] pipeline: drop CAP_{NET_ADMIN,SYS_PTRACE} caps

Drop CAP_{NET_ADMIN,SYS_PTRACE} from the default capabilities which
are only needed to run bwrap from inside a stage which is done by
the `ostree.commit` and `ostree.preptree` stages, so retain them
directly there.
---
 assemblers/org.osbuild.ostree.commit | 3 +++
 osbuild/pipeline.py                  | 2 --
 stages/org.osbuild.ostree.commit     | 3 +++
 stages/org.osbuild.ostree.preptree   | 3 +++
 stages/org.osbuild.rpm-ostree        | 3 +++
 5 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/assemblers/org.osbuild.ostree.commit b/assemblers/org.osbuild.ostree.commit
index 1b5c9fb9..f918a540 100755
--- a/assemblers/org.osbuild.ostree.commit
+++ b/assemblers/org.osbuild.ostree.commit
@@ -29,6 +29,9 @@ from osbuild import api
 from osbuild.util import ostree
 
 
+CAPABILITIES = ["CAP_NET_ADMIN", "CAP_SYS_PTRACE"]
+
+
 SCHEMA = """
 "additionalProperties": false,
 "required": ["ref"],
diff --git a/osbuild/pipeline.py b/osbuild/pipeline.py
index 36f88017..29b341ad 100644
--- a/osbuild/pipeline.py
+++ b/osbuild/pipeline.py
@@ -29,7 +29,6 @@ DEFAULT_CAPABILITIES = {
     "CAP_MAC_ADMIN",
     "CAP_MAC_OVERRIDE",
     "CAP_MKNOD",
-    "CAP_NET_ADMIN",  # bwrap
     "CAP_NET_BIND_SERVICE",
     "CAP_SETFCAP",
     "CAP_SETGID",
@@ -38,7 +37,6 @@ DEFAULT_CAPABILITIES = {
     "CAP_SYS_ADMIN",
     "CAP_SYS_CHROOT",
     "CAP_SYS_NICE",
-    "CAP_SYS_PTRACE",  # bwrap
     "CAP_SYS_RESOURCE"
 }
 
diff --git a/stages/org.osbuild.ostree.commit b/stages/org.osbuild.ostree.commit
index 84d7a217..58ab2b3f 100755
--- a/stages/org.osbuild.ostree.commit
+++ b/stages/org.osbuild.ostree.commit
@@ -24,6 +24,9 @@ from osbuild import api
 from osbuild.util import ostree
 
 
+CAPABILITIES = ["CAP_NET_ADMIN", "CAP_SYS_PTRACE"]
+
+
 SCHEMA_2 = """
 "options": {
   "additionalProperties": false,
diff --git a/stages/org.osbuild.ostree.preptree b/stages/org.osbuild.ostree.preptree
index 95c23402..00d79a90 100755
--- a/stages/org.osbuild.ostree.preptree
+++ b/stages/org.osbuild.ostree.preptree
@@ -43,6 +43,9 @@ from osbuild import api
 from osbuild.util import ostree
 
 
+CAPABILITIES = ["CAP_NET_ADMIN", "CAP_SYS_PTRACE"]
+
+
 SCHEMA = """
 "additionalProperties": false,
 "properties": {
diff --git a/stages/org.osbuild.rpm-ostree b/stages/org.osbuild.rpm-ostree
index e1ccce84..38f0a648 100755
--- a/stages/org.osbuild.rpm-ostree
+++ b/stages/org.osbuild.rpm-ostree
@@ -39,6 +39,9 @@ import osbuild.api
 from osbuild.util import ostree
 
 
+CAPABILITIES = ["CAP_NET_ADMIN", "CAP_SYS_PTRACE"]
+
+
 SCHEMA = """
 "additionalProperties": false,
 "properties": {