Merge pull request #36587 from justincormack/unpriv-caps

If container will run as non root user, drop permitted, effective caps early

daemon/oci_linux.go

@@ -255,7 +255,7 @@ func setCapabilities(s *specs.Spec, c *container.Container) error {
 	if c.HostConfig.Privileged {
 		caplist = caps.GetAllCapabilities()
 	} else {
-		caplist, err = caps.TweakCapabilities(s.Process.Capabilities.Effective, c.HostConfig.CapAdd, c.HostConfig.CapDrop)
+		caplist, err = caps.TweakCapabilities(s.Process.Capabilities.Bounding, c.HostConfig.CapAdd, c.HostConfig.CapDrop)
 		if err != nil {
 			return err
 		}
@@ -264,6 +264,12 @@ func setCapabilities(s *specs.Spec, c *container.Container) error {
 	s.Process.Capabilities.Bounding = caplist
 	s.Process.Capabilities.Permitted = caplist
 	s.Process.Capabilities.Inheritable = caplist
+	// setUser has already been executed here
+	// if non root drop capabilities in the way execve does
+	if s.Process.User.UID != 0 {
+		s.Process.Capabilities.Effective = []string{}
+		s.Process.Capabilities.Permitted = []string{}
+	}
 	return nil
 }
 

profiles/seccomp/seccomp.go

@@ -105,7 +105,7 @@ Loop:
 		}
 		if len(call.Excludes.Caps) > 0 {
 			for _, c := range call.Excludes.Caps {
-				if inSlice(rs.Process.Capabilities.Effective, c) {
+				if inSlice(rs.Process.Capabilities.Bounding, c) {
 					continue Loop
 				}
 			}
@@ -117,7 +117,7 @@ Loop:
 		}
 		if len(call.Includes.Caps) > 0 {
 			for _, c := range call.Includes.Caps {
-				if !inSlice(rs.Process.Capabilities.Effective, c) {
+				if !inSlice(rs.Process.Capabilities.Bounding, c) {
 					continue Loop
 				}
 			}