From 616c4e4df5f6098eb8f4d7824d85099e59e4e344 Mon Sep 17 00:00:00 2001 From: BoykoAlex Date: Sun, 26 Nov 2017 01:44:39 -0500 Subject: [PATCH] Add `privileged` property to resource_type for Concourse --- .../ide/vscode/concourse/PipelineYmlSchema.java | 1 + .../src/main/resources/desc/ResourceType/privileged.md | 3 +++ 2 files changed, 4 insertions(+) create mode 100644 headless-services/concourse-language-server/src/main/resources/desc/ResourceType/privileged.md diff --git a/headless-services/concourse-language-server/src/main/java/org/springframework/ide/vscode/concourse/PipelineYmlSchema.java b/headless-services/concourse-language-server/src/main/java/org/springframework/ide/vscode/concourse/PipelineYmlSchema.java index 66047fbe7..c63545af5 100644 --- a/headless-services/concourse-language-server/src/main/java/org/springframework/ide/vscode/concourse/PipelineYmlSchema.java +++ b/headless-services/concourse-language-server/src/main/java/org/springframework/ide/vscode/concourse/PipelineYmlSchema.java @@ -379,6 +379,7 @@ public class PipelineYmlSchema implements YamlSchema { addProp(resourceType, "name", resourceTypeNameDef).isPrimary(true); addProp(resourceType, "type", t_resource_type_name).isRequired(true); addProp(resourceType, "source", resourceSource); + addProp(resourceType, "privileged", t_boolean); AbstractType group = f.ybean("Group"); addProp(group, "name", t_ne_string).isPrimary(true); diff --git a/headless-services/concourse-language-server/src/main/resources/desc/ResourceType/privileged.md b/headless-services/concourse-language-server/src/main/resources/desc/ResourceType/privileged.md new file mode 100644 index 000000000..980a2e527 --- /dev/null +++ b/headless-services/concourse-language-server/src/main/resources/desc/ResourceType/privileged.md @@ -0,0 +1,3 @@ +*Optional*. *Default* `false`. If set to `true`, the resource's containers will be run with full capabilities, as determined by the Garden backend the task runs on. For Linux-based backends it typically determines whether or not the container will run in a separate user namespace, and whether the `root` user is "actual" `root` (if set to `true`) or a user namespaced `root` (if set to `false`, the default). + +This is a gaping security hole; only configure it if the resource type needs it (which should be called out in its documentation). This is not up to the resource type to decide dynamically, so as to prevent privilege escalation via third-party resource type exploits. \ No newline at end of file