From a38b96b8cdc4d345a050b417c4c492b75329e5a6 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Fri, 16 Oct 2020 16:38:48 +0200 Subject: [PATCH] Temporarily disable CAP_PERFMON, CAP_BPF, and CAP_CHECKPOINT_RESTORE This prevents docker from setting CAP_PERFMON, CAP_BPF, and CAP_CHECKPOINT_RESTORE capabilities on privileged (or CAP_ALL) containers on Kernel 5.8 and up. While these kernels support these capabilities, the current release of runc ships with an older version of /gocapability/capability, and does not know about them, causing an error to be produced. We can remove this restriction once https://github.com/opencontainers/runc/commit/6dfbe9b80707b1ca188255e8def15263348e0f9a is included in a runc release and once we stop supporting containerd 1.3.x (which ships with runc v1.0.0-rc92). Thanks to Anca Iordache for reporting. Signed-off-by: Sebastiaan van Stijn --- oci/caps/utils.go | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/oci/caps/utils.go b/oci/caps/utils.go index 4a8ed09e8d..e61e8584c3 100644 --- a/oci/caps/utils.go +++ b/oci/caps/utils.go @@ -16,6 +16,18 @@ func init() { if last == capability.Cap(63) { last = capability.CAP_BLOCK_SUSPEND } + if last > capability.CAP_AUDIT_READ { + // Prevents docker from setting CAP_PERFMON, CAP_BPF, and CAP_CHECKPOINT_RESTORE + // capabilities on privileged (or CAP_ALL) containers on Kernel 5.8 and up. + // While these kernels support these capabilities, the current release of + // runc ships with an older version of /gocapability/capability, and does + // not know about them, causing an error to be produced. + // + // FIXME remove once https://github.com/opencontainers/runc/commit/6dfbe9b80707b1ca188255e8def15263348e0f9a + // is included in a runc release and once we stop supporting containerd 1.3.x + // (which ships with runc v1.0.0-rc92) + last = capability.CAP_AUDIT_READ + } for _, cap := range capability.List() { if cap > last { continue