SETUID/SETGID not required for changing user

It is no longer necessary to pass "SETUID" or "SETGID" capabilities to
the container when a "user" is specified in the config.

Docker-DCO-1.1-Signed-off-by: Bernerd Schaefer <bj.schaefer@gmail.com> (github: bernerdschaefer)

pkg/libcontainer/nsinit/init.go

@@ -172,15 +172,33 @@ func setupNetwork(container *libcontainer.Container, context libcontainer.Contex
 // and working dir, and closes any leaky file descriptors
 // before execing the command inside the namespace
 func FinalizeNamespace(container *libcontainer.Container) error {
-	if err := capabilities.DropCapabilities(container); err != nil {
-		return fmt.Errorf("drop capabilities %s", err)
-	}
 	if err := system.CloseFdsFrom(3); err != nil {
 		return fmt.Errorf("close open file descriptors %s", err)
 	}
+
+	// drop capabilities in bounding set before changing user
+	if err := capabilities.DropBoundingSet(container); err != nil {
+		return fmt.Errorf("drop bounding set %s", err)
+	}
+
+	// preserve existing capabilities while we change users
+	if err := system.SetKeepCaps(); err != nil {
+		return fmt.Errorf("set keep caps %s", err)
+	}
+
 	if err := SetupUser(container.User); err != nil {
 		return fmt.Errorf("setup user %s", err)
 	}
+
+	if err := system.ClearKeepCaps(); err != nil {
+		return fmt.Errorf("clear keep caps %s", err)
+	}
+
+	// drop all other capabilities
+	if err := capabilities.DropCapabilities(container); err != nil {
+		return fmt.Errorf("drop capabilities %s", err)
+	}
+
 	if container.WorkingDir != "" {
 		if err := system.Chdir(container.WorkingDir); err != nil {
 			return fmt.Errorf("chdir to %s %s", container.WorkingDir, err)

pkg/libcontainer/security/capabilities/capabilities.go

@@ -9,6 +9,25 @@ import (
 
 const allCapabilityTypes = capability.CAPS | capability.BOUNDS
 
+// DropBoundingSet drops the capability bounding set to those specified in the
+// container configuration.
+func DropBoundingSet(container *libcontainer.Container) error {
+	c, err := capability.NewPid(os.Getpid())
+	if err != nil {
+		return err
+	}
+
+	keep := getEnabledCapabilities(container)
+	c.Clear(capability.BOUNDS)
+	c.Set(capability.BOUNDS, keep...)
+
+	if err := c.Apply(capability.BOUNDS); err != nil {
+		return err
+	}
+
+	return nil
+}
+
 // DropCapabilities drops all capabilities for the current process expect those specified in the container configuration.
 func DropCapabilities(container *libcontainer.Container) error {
 	c, err := capability.NewPid(os.Getpid())