Add secured mount wrapper or coarse CAP_SYS_ADMIN for portlayer

[hickeng]

Story
As a VIC user I want to be able to pull images
As a security engineer I want all VCH endpointVM components running with least privilege

Detail
We currently mount image disks into the endpointVM in order to extract the image contents. To do so we require sufficient privileges. This means either:

1. CAP_SYS_ADMIN
2. sudo mount with pattern matching, but then we'd have to shell out to the mount command
3. splitting portlayer. storage into a separate component (it was architected for this) with different privileges to the rest of the portlayer components.

Estimate is for (1)

Acceptance
portlayer runs as un-privileged user but can still pull images

[DanielXiao]

@hickeng Do you mean that still run port-layer with root user? And only keep capability CAP_SYS_ADMIN of /sbin/port-layer-server. If we run port-layer with other user, we have to sudo mount and change all mount commands in our go code.

[DanielXiao]

In PR #8441, I try to run port-layer-server with non-root user and set capabilities cap_net_bind_service and cap_sys_admin to it.
But it still fails to bind dns port:

Jan  4 2019 03:20:22.601Z INFO  Ready for queries on udp://:53
Jan  4 2019 03:20:22.601Z ERROR Calling BindToDevice failed with: operation not permitted

vic/lib/dns/dns.go

Line 649 in 20ec04e

log.Errorf("Calling BindToDevice failed with: %s", err)

and fails to mount disk as well:

Jan  4 2019 03:20:25.545Z INFO  op=270.12: Creating ext4 filesystem on device /dev/sda
Jan  4 2019 03:20:25.549Z ERROR op=270.12: vmdk storage driver failed to format disk /dev/sda: exit status 1
Jan  4 2019 03:20:25.549Z ERROR op=270.12: mkfs output: mke2fs 1.43.4 (31-Jan-2017)
Could not open /dev/sda: Permission denied

Jan  4 2019 03:20:25.549Z ERROR op=270.12: Failed to create scratch filesystem: exit status 1
Jan  4 2019 03:20:25.549Z ERROR op=270.12: Cleaning up failed image scratch

vic/pkg/fs/ext4.go

Line 49 in 16ce0ef

op.Errorf("vmdk storage driver failed to format disk %s: %s", devPath, err)

We have to refactor these operations to shell commands with sudo, that 's risky before 1.5 release. So I prefer to defer it out of 1.5.0.

[hickeng]

@DanielXiao You cannot refactor opening the port into a shell command, and I would recommend against doing so for the mount - I listed it as an option because it is, but shelling out is generally something to avoid where ever possible. Both from a security and maintainability perspective (see #8031).

For the port you may need CAP_NET_BIND_SERVICE explicitly. I don't think we're using raw or packet sockets in the portlayer, but if we are you'd also need CAP_NET_RAW.

For mke2fs you may also require CAP_SYS_RESOURCE and/or CAP_SYS_RAWIO. Honestly I'd test it by granting various capabilities to the mke2fs binary and trying to make an ext4 filesystem on a loopback device.

Basically I've read through http://man7.org/linux/man-pages/man7/capabilities.7.html and identified the capabilities that seem relevant, but I'm only doing so based on the documentation not direct experience.