backport of commit 559b360

hashicorp · Mar 24, 2023 · e107eea · e107eea
1 parent 9073457
commit e107eea
Showing 1 changed file with 10 additions and 1 deletion.
diff --git a/drivers/shared/executor/executor_linux.go b/drivers/shared/executor/executor_linux.go
@@ -526,8 +526,17 @@ func configureCapabilities(cfg *lconfigs.Config, command *ExecCommand) {
 		}
 	default:
 		// otherwise apply the plugin + task capability configuration
+		//
+		// The capabilities must be set in the Ambient set as libcontainer
+		// performs `execve`` as an unprivileged user.  Ambient also requires
+		// that capabilities are Permitted and Inheritable.  Setting Effective
+		// is unnecessary, because we only need the capabilities to become
+		// effective _after_ execve, not before.
 		cfg.Capabilities = &lconfigs.Capabilities{
-			Bounding: command.Capabilities,
+			Bounding:    command.Capabilities,
+			Permitted:   command.Capabilities,
+			Inheritable: command.Capabilities,
+			Ambient:     command.Capabilities,
 		}
 	}
 }