Allow LINUX_IMMUTABLE capability at runtime

cmgr/database.go

@@ -166,6 +166,7 @@ const schemaQuery string = `
 		nonewprivileges INTEGER NOT NULL CHECK(nonewprivileges == 0 OR nonewprivileges == 1),
 		diskquota TEXT NOT NULL,
 		cgroupparent TEXT NOT NULL,
+		capimmutable INTEGER NOT NULL CHECK(capimmutable == 0 OR capimmutable == 1) DEFAULT 0,
 		FOREIGN KEY (challenge) REFERENCES challenges (id)
 			ON UPDATE CASCADE ON DELETE CASCADE
 	);`
@@ -193,6 +194,9 @@ func (m *Manager) initDatabase() error {
 		m.log.errorf("could not set database schema: %s", err)
 		return err
 	}
+	// Best-effort migration for older DBs: add capimmutable if missing.
+	// If the column already exists, this will error and we ignore it.
+	_, _ = db.Exec("ALTER TABLE containerOptions ADD COLUMN capimmutable INTEGER NOT NULL DEFAULT 0;")
 
 	var fkeysEnforced bool
 	err = db.QueryRow("PRAGMA foreign_keys;").Scan(&fkeysEnforced)

cmgr/database_challenges.go

@@ -94,7 +94,7 @@ func (m *Manager) lookupChallengeMetadata(challenge ChallengeId) (*ChallengeMeta
 
 	containerOptions := new([]dbContainerOptions)
 	if err == nil {
-		err = txn.Select(containerOptions, "SELECT host, init, cpus, memory, ulimits, pidslimit, readonlyrootfs, droppedcaps, nonewprivileges, diskquota, cgroupparent FROM containerOptions WHERE challenge=?", challenge)
+		err = txn.Select(containerOptions, "SELECT host, init, cpus, memory, ulimits, pidslimit, readonlyrootfs, droppedcaps, nonewprivileges, diskquota, cgroupparent, capimmutable FROM containerOptions WHERE challenge=?", challenge)
 	}
 	for _, dbOpts := range *containerOptions {
 		cOpts, err := newFromDbContainerOptions(dbOpts)
@@ -279,7 +279,7 @@ func (m *Manager) addChallenges(addedChallenges []*ChallengeMetadata) []error {
 				break
 			}
 			m.log.debugf("%s%s: %v", metadata.Id, host_str, dbOpts)
-			_, err = txn.Exec("INSERT INTO containerOptions(challenge, host, init, cpus, memory, ulimits, pidslimit, readonlyrootfs, droppedcaps, nonewprivileges, diskquota, cgroupparent) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?);",
+			_, err = txn.Exec("INSERT INTO containerOptions(challenge, host, init, cpus, memory, ulimits, pidslimit, readonlyrootfs, droppedcaps, nonewprivileges, diskquota, cgroupparent, capimmutable) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?);",
 				metadata.Id,
 				host,
 				dbOpts.Init,
@@ -291,7 +291,8 @@ func (m *Manager) addChallenges(addedChallenges []*ChallengeMetadata) []error {
 				dbOpts.DroppedCaps,
 				dbOpts.NoNewPrivileges,
 				dbOpts.DiskQuota,
-				dbOpts.CgroupParent)
+				dbOpts.CgroupParent,
+				dbOpts.CapImmutable)
 			if err != nil {
 				m.log.error(err)
 				err = txn.Rollback()
@@ -542,7 +543,7 @@ func (m *Manager) updateChallenges(updatedChallenges []*ChallengeMetadata, rebui
 				}
 				break
 			}
-			_, err = txn.Exec("INSERT INTO containerOptions(challenge, host, init, cpus, memory, ulimits, pidslimit, readonlyrootfs, droppedcaps, nonewprivileges, diskquota, cgroupparent) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?);",
+			_, err = txn.Exec("INSERT INTO containerOptions(challenge, host, init, cpus, memory, ulimits, pidslimit, readonlyrootfs, droppedcaps, nonewprivileges, diskquota, cgroupparent, capimmutable) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?);",
 				metadata.Id,
 				host,
 				dbOpts.Init,
@@ -554,7 +555,8 @@ func (m *Manager) updateChallenges(updatedChallenges []*ChallengeMetadata, rebui
 				dbOpts.DroppedCaps,
 				dbOpts.NoNewPrivileges,
 				dbOpts.DiskQuota,
-				dbOpts.CgroupParent)
+				dbOpts.CgroupParent,
+				dbOpts.CapImmutable)
 			if err != nil {
 				m.log.error(err)
 				err = txn.Rollback()
@@ -690,6 +692,7 @@ type dbContainerOptions struct {
 	NoNewPrivileges bool
 	DiskQuota       string
 	CgroupParent    string
+	CapImmutable    bool
 }
 
 func newFromDbContainerOptions(dbOpts dbContainerOptions) (ContainerOptions, error) {
@@ -724,6 +727,7 @@ func newFromDbContainerOptions(dbOpts dbContainerOptions) (ContainerOptions, err
 	cOpts.DiskQuota = dbOpts.DiskQuota
 
 	cOpts.CgroupParent = dbOpts.CgroupParent
+	cOpts.CapImmutable = dbOpts.CapImmutable
 
 	return cOpts, nil
 }
@@ -760,6 +764,7 @@ func (cOpts ContainerOptions) toDbContainerOptions() (dbContainerOptions, error)
 	dbOpts.DiskQuota = cOpts.DiskQuota
 
 	dbOpts.CgroupParent = cOpts.CgroupParent
+	dbOpts.CapImmutable = cOpts.CapImmutable
 
 	return dbOpts, nil
 }

cmgr/docker.go

@@ -753,6 +753,9 @@ func (m *Manager) startContainers(build *BuildMetadata, instance *InstanceMetada
 			m.log.debug("inserting custom seccomp profile")
 			hConfig.SecurityOpt = append(hConfig.SecurityOpt, "seccomp:"+seccompPolicy)
 		}
+		if cOpts.CapImmutable {
+			hConfig.CapAdd = append(hConfig.CapAdd, "LINUX_IMMUTABLE")
+		}
 
 		nConfig := network.NetworkingConfig{
 			EndpointsConfig: map[string]*network.EndpointSettings{

cmgr/types.go

@@ -69,6 +69,7 @@ type ContainerOptions struct {
 	NoNewPrivileges bool     `json:"nonewprivileges,omitempty" yaml:"nonewprivileges"`
 	DiskQuota       string   `json:"diskquota,omitempty"       yaml:"diskquota"`
 	CgroupParent    string   `json:"cgroupparent,omitempty"    yaml:"cgroupparent"`
+	CapImmutable    bool     `json:"cap_immutable,omitempty"   yaml:"cap_immutable"`
 }
 
 type ChallengeOptions struct {