[RFC v3 5/6] kas-container: block usage of sudo in isar-rootless mode
1 view
Skip to first unread message
Felix Moessbauer
Feb 26, 2026, 11:02:25 AM (4 days ago) Feb 26
to kas-...@googlegroups.com, jan.k...@siemens.com, christi...@siemens.com, Felix Moessbauer
After switching to the builder user, we prohibit using sudo. This helps
downstream layers to find locations where sudo is incorrectly used, as
well as it prevents accidential breakout on system docker.
Signed-off-by: Felix Moessbauer <felix.mo...@siemens.com>
---
container-entrypoint | 11 +++++++++++
kas-container | 1 +
2 files changed, 12 insertions(+)
diff --git a/container-entrypoint b/container-entrypoint
index da0c36d3a..9d23b6248 100755
--- a/container-entrypoint
+++ b/container-entrypoint
@@ -168,6 +168,17 @@ if [ "$PWD" = / ]; then
cd /builder || exit 1
fi
+if [ "$KAS_BLOCK_SUDO" = "1" ]; then
+ mkdir -p /usr/local/libexec
+ cat <<'EOF' > /usr/local/libexec/kas-no-sudo
+#!/bin/sh
+printf "KAS_BLOCK_SUDO=1: sudo is prohibited\n" >&2
+exit 1
+EOF
+ chmod +x /usr/local/libexec/kas-no-sudo
+ ln -sf /usr/local/libexec/kas-no-sudo /usr/bin/sudo
+fi
+
if [ -n "$1" ]; then
case "$1" in
build|checkout|clean*|diff|dump|for-all-repos|lock|menu|purge|shell|-*)
diff --git a/kas-container b/kas-container
index 38f4992cc..25ef1fd15 100755
--- a/kas-container
+++ b/kas-container
@@ -177,6 +177,7 @@ enable_isar_rootless_mode()
fi
ISAR_ROOTLESS_MODE=1
KAS_CONTAINER_IMAGE_NAME_DEFAULT="kas-isar"
+ KAS_RUNTIME_ARGS="${KAS_RUNTIME_ARGS} -e KAS_BLOCK_SUDO=1"
# Use --privileged to pass the ambient capabilities into the container.
# When calling from the user session (podman or docker-rootless), this
--
2.51.0
downstream layers to find locations where sudo is incorrectly used, as
well as it prevents accidential breakout on system docker.
Signed-off-by: Felix Moessbauer <felix.mo...@siemens.com>
---
container-entrypoint | 11 +++++++++++
kas-container | 1 +
2 files changed, 12 insertions(+)
diff --git a/container-entrypoint b/container-entrypoint
index da0c36d3a..9d23b6248 100755
--- a/container-entrypoint
+++ b/container-entrypoint
@@ -168,6 +168,17 @@ if [ "$PWD" = / ]; then
cd /builder || exit 1
fi
+if [ "$KAS_BLOCK_SUDO" = "1" ]; then
+ mkdir -p /usr/local/libexec
+ cat <<'EOF' > /usr/local/libexec/kas-no-sudo
+#!/bin/sh
+printf "KAS_BLOCK_SUDO=1: sudo is prohibited\n" >&2
+exit 1
+EOF
+ chmod +x /usr/local/libexec/kas-no-sudo
+ ln -sf /usr/local/libexec/kas-no-sudo /usr/bin/sudo
+fi
+
if [ -n "$1" ]; then
case "$1" in
build|checkout|clean*|diff|dump|for-all-repos|lock|menu|purge|shell|-*)
diff --git a/kas-container b/kas-container
index 38f4992cc..25ef1fd15 100755
--- a/kas-container
+++ b/kas-container
@@ -177,6 +177,7 @@ enable_isar_rootless_mode()
fi
ISAR_ROOTLESS_MODE=1
KAS_CONTAINER_IMAGE_NAME_DEFAULT="kas-isar"
+ KAS_RUNTIME_ARGS="${KAS_RUNTIME_ARGS} -e KAS_BLOCK_SUDO=1"
# Use --privileged to pass the ambient capabilities into the container.
# When calling from the user session (podman or docker-rootless), this
--
2.51.0
Reply all
Reply to author
Forward
0 new messages