drivers/exec: Fix handling of capabilities for unprivileged tasks

Currently, the `exec` driver is only setting the Bounding set, which is not sufficient to actually enable the requisite capabilities for the task process. In order for the capabilities to survive `execve` performed by libcontainer, the `Permitted`, `Inheritable`, and `Ambient` sets must also be set. Per CAPABILITIES (7): > Ambient: This is a set of capabilities that are preserved across an > execve(2) of a program that is not privileged. The ambient capability > set obeys the invariant that no capability can ever be ambient if it > is not both permitted and inheritable. Fixes: #16642
hashicorp · Mar 24, 2023 · 559b360 · 559b360
1 parent b84c455
commit 559b360
Showing 1 changed file with 10 additions and 1 deletion.
diff --git a/drivers/shared/executor/executor_linux.go b/drivers/shared/executor/executor_linux.go
@@ -526,8 +526,17 @@ func configureCapabilities(cfg *lconfigs.Config, command *ExecCommand) {
 		}
 	default:
 		// otherwise apply the plugin + task capability configuration
+		//
+		// The capabilities must be set in the Ambient set as libcontainer
+		// performs `execve`` as an unprivileged user.  Ambient also requires
+		// that capabilities are Permitted and Inheritable.  Setting Effective
+		// is unnecessary, because we only need the capabilities to become
+		// effective _after_ execve, not before.
 		cfg.Capabilities = &lconfigs.Capabilities{
-			Bounding: command.Capabilities,
+			Bounding:    command.Capabilities,
+			Permitted:   command.Capabilities,
+			Inheritable: command.Capabilities,
+			Ambient:     command.Capabilities,
 		}
 	}
 }