From 778c8bd84ce0144dfb696082f39c42fab26e4711 Mon Sep 17 00:00:00 2001
From: Sean Walberg <sean@ertw.com>
Date: Mon, 29 Jun 2020 08:52:20 -0400
Subject: [PATCH] Also check for `allowPrivilegeEscalation`

The Ambassador container needs both the NET_BIND_SERVICE capability and
also securityContext.allowPrivilegeEscalation to be enabled, so updating
the init script to check for both. It checks to make sure it's not
disabled (love these double negatives) so that if we're on a non docker
runtime it won't get tripped up.
---
 python/entrypoint.sh | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/python/entrypoint.sh b/python/entrypoint.sh
index 2ddfb4ea8c..54568fecb1 100644
--- a/python/entrypoint.sh
+++ b/python/entrypoint.sh
@@ -347,8 +347,10 @@ kick_ads() {
         if [ -z "${pids[envoy]}" ]; then
             # Envoy isn't running. Start it.
             # First check to see if this process has the capability to bind to a low port, if so it can run Envoy through a wrapper to grant the same
-            capsh --decode=$(awk '/CapInh/ { print $2}' /proc/$$/status) | grep -q cap_net_bind_service
-            if [ $? -eq 0 ]; then
+            # To bind to the low port it can't have privilege escalation revoked, and needs the NET_BIND_SERVICE capability
+            nonewprivs=$(awk '/NoNewPrivs/ { print $2 }' /proc/$$/status)
+            capsh --decode=$(awk '/CapInh/ { print $2 }' /proc/$$/status) | grep -q cap_net_bind_service
+            if [ $? -eq 0 -a "X$nonewprivs" != "X1" ]; then
               log "cap_net_bind_service is supported, launching Envoy through a wrapper"
               launch "envoy-wrapper" wrapper "${envoy_flags[@]}"
             else