From 559b36010710ebc872c5b2445971cefcac8f1bcf Mon Sep 17 00:00:00 2001 From: Elvis Pranskevichus Date: Thu, 23 Mar 2023 13:31:07 -0700 Subject: [PATCH] drivers/exec: Fix handling of capabilities for unprivileged tasks Currently, the `exec` driver is only setting the Bounding set, which is not sufficient to actually enable the requisite capabilities for the task process. In order for the capabilities to survive `execve` performed by libcontainer, the `Permitted`, `Inheritable`, and `Ambient` sets must also be set. Per CAPABILITIES (7): > Ambient: This is a set of capabilities that are preserved across an > execve(2) of a program that is not privileged. The ambient capability > set obeys the invariant that no capability can ever be ambient if it > is not both permitted and inheritable. Fixes: #16642 --- drivers/shared/executor/executor_linux.go | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/drivers/shared/executor/executor_linux.go b/drivers/shared/executor/executor_linux.go index 4ab8367be55..5516660cd18 100644 --- a/drivers/shared/executor/executor_linux.go +++ b/drivers/shared/executor/executor_linux.go @@ -526,8 +526,17 @@ func configureCapabilities(cfg *lconfigs.Config, command *ExecCommand) { } default: // otherwise apply the plugin + task capability configuration + // + // The capabilities must be set in the Ambient set as libcontainer + // performs `execve`` as an unprivileged user. Ambient also requires + // that capabilities are Permitted and Inheritable. Setting Effective + // is unnecessary, because we only need the capabilities to become + // effective _after_ execve, not before. cfg.Capabilities = &lconfigs.Capabilities{ - Bounding: command.Capabilities, + Bounding: command.Capabilities, + Permitted: command.Capabilities, + Inheritable: command.Capabilities, + Ambient: command.Capabilities, } } }