oci: inheritable capability set should be empty

The Linux kernel never sets the Inheritable capability flag to anything other than empty. Moby should have the same behavior, and leave it to userspace code within the container to set a non-empty value if desired. Reported-by: Andrew G. Morgan <morgan@kernel.org> Signed-off-by: Samuel Karp <skarp@amazon.com>
2022-01-31 12:08:01 -08:00 · 2022-01-31 12:08:01 -08:00 · 0d9a37d0c2
commit 0d9a37d0c2
parent 3c06ebd876
3 changed files with 20 additions and 19 deletions
--- a/daemon/exec_linux.go
+++ b/daemon/exec_linux.go
@ -19,13 +19,11 @@ func (daemon *Daemon) execSetPlatformOpt(c *container.Container, ec *exec.Config
 		}
 	}
 	if ec.Privileged {
-		if p.Capabilities == nil {
-			p.Capabilities = &specs.LinuxCapabilities{}
+		p.Capabilities = &specs.LinuxCapabilities{
+			Bounding:  caps.GetAllCapabilities(),
+			Permitted: caps.GetAllCapabilities(),
+			Effective: caps.GetAllCapabilities(),
 		}
-		p.Capabilities.Bounding = caps.GetAllCapabilities()
-		p.Capabilities.Permitted = p.Capabilities.Bounding
-		p.Capabilities.Inheritable = p.Capabilities.Bounding
-		p.Capabilities.Effective = p.Capabilities.Bounding
 	}
 	if apparmor.HostSupports() {
 		var appArmorProfile string
--- a/oci/defaults.go
+++ b/oci/defaults.go
@ -36,10 +36,9 @@ func DefaultLinuxSpec() specs.Spec {
 		Version: specs.Version,
 		Process: &specs.Process{
 			Capabilities: &specs.LinuxCapabilities{
-				Bounding:    caps.DefaultCapabilities(),
-				Permitted:   caps.DefaultCapabilities(),
-				Inheritable: caps.DefaultCapabilities(),
-				Effective:   caps.DefaultCapabilities(),
+				Bounding:  caps.DefaultCapabilities(),
+				Permitted: caps.DefaultCapabilities(),
+				Effective: caps.DefaultCapabilities(),
 			},
 		},
 		Root: &specs.Root{},
--- a/oci/oci.go
+++ b/oci/oci.go
@ -17,17 +17,21 @@ import (
 var deviceCgroupRuleRegex = regexp.MustCompile("^([acb]) ([0-9]+|\\*):([0-9]+|\\*) ([rwm]{1,3})$")

 // SetCapabilities sets the provided capabilities on the spec
-// All capabilities are added if privileged is true
+// All capabilities are added if privileged is true.
 func SetCapabilities(s *specs.Spec, caplist []string) error {
-	s.Process.Capabilities.Effective = caplist
-	s.Process.Capabilities.Bounding = caplist
-	s.Process.Capabilities.Permitted = caplist
-	s.Process.Capabilities.Inheritable = caplist
 	// setUser has already been executed here
-	// if non root drop capabilities in the way execve does
-	if s.Process.User.UID != 0 {
-		s.Process.Capabilities.Effective = []string{}
-		s.Process.Capabilities.Permitted = []string{}
+	if s.Process.User.UID == 0 {
+		s.Process.Capabilities = &specs.LinuxCapabilities{
+			Effective: caplist,
+			Bounding:  caplist,
+			Permitted: caplist,
+		}
+	} else {
+		// Do not set Effective and Permitted capabilities for non-root users,
+		// to match what execve does.
+		s.Process.Capabilities = &specs.LinuxCapabilities{
+			Bounding: caplist,
+		}
 	}
 	return nil
 }