Skip to content

Commit

Permalink
Merge pull request from GHSA-f3fp-gc8g-vw66
Browse files Browse the repository at this point in the history
runc: do not set inheritable capabilities
  • Loading branch information
cyphar authored May 11, 2022
2 parents 94105ca + 98fe566 commit d04de3a
Show file tree
Hide file tree
Showing 5 changed files with 0 additions and 40 deletions.
1 change: 0 additions & 1 deletion exec.go
Original file line number Diff line number Diff line change
Expand Up @@ -227,7 +227,6 @@ func getProcess(context *cli.Context, bundle string) (*specs.Process, error) {
if caps := context.StringSlice("cap"); len(caps) > 0 {
for _, c := range caps {
p.Capabilities.Bounding = append(p.Capabilities.Bounding, c)
p.Capabilities.Inheritable = append(p.Capabilities.Inheritable, c)
p.Capabilities.Effective = append(p.Capabilities.Effective, c)
p.Capabilities.Permitted = append(p.Capabilities.Permitted, c)
p.Capabilities.Ambient = append(p.Capabilities.Ambient, c)
Expand Down
16 changes: 0 additions & 16 deletions libcontainer/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -84,22 +84,6 @@ config := &configs.Config{
"CAP_KILL",
"CAP_AUDIT_WRITE",
},
Inheritable: []string{
"CAP_CHOWN",
"CAP_DAC_OVERRIDE",
"CAP_FSETID",
"CAP_FOWNER",
"CAP_MKNOD",
"CAP_NET_RAW",
"CAP_SETGID",
"CAP_SETUID",
"CAP_SETFCAP",
"CAP_SETPCAP",
"CAP_NET_BIND_SERVICE",
"CAP_SYS_CHROOT",
"CAP_KILL",
"CAP_AUDIT_WRITE",
},
Permitted: []string{
"CAP_CHOWN",
"CAP_DAC_OVERRIDE",
Expand Down
2 changes: 0 additions & 2 deletions libcontainer/integration/exec_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -364,7 +364,6 @@ func TestProcessCaps(t *testing.T) {
pconfig.Capabilities.Bounding = append(config.Capabilities.Bounding, "CAP_NET_ADMIN")
pconfig.Capabilities.Permitted = append(config.Capabilities.Permitted, "CAP_NET_ADMIN")
pconfig.Capabilities.Effective = append(config.Capabilities.Effective, "CAP_NET_ADMIN")
pconfig.Capabilities.Inheritable = append(config.Capabilities.Inheritable, "CAP_NET_ADMIN")
err = container.Run(&pconfig)
ok(t, err)

Expand Down Expand Up @@ -1360,7 +1359,6 @@ func TestRootfsPropagationSharedMount(t *testing.T) {
pconfig2.Capabilities.Bounding = append(config.Capabilities.Bounding, "CAP_SYS_ADMIN")
pconfig2.Capabilities.Permitted = append(config.Capabilities.Permitted, "CAP_SYS_ADMIN")
pconfig2.Capabilities.Effective = append(config.Capabilities.Effective, "CAP_SYS_ADMIN")
pconfig2.Capabilities.Inheritable = append(config.Capabilities.Inheritable, "CAP_SYS_ADMIN")

err = container.Run(pconfig2)
_ = stdinR2.Close()
Expand Down
16 changes: 0 additions & 16 deletions libcontainer/integration/template_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -75,22 +75,6 @@ func newTemplateConfig(t *testing.T, p *tParam) *configs.Config {
"CAP_KILL",
"CAP_AUDIT_WRITE",
},
Inheritable: []string{
"CAP_CHOWN",
"CAP_DAC_OVERRIDE",
"CAP_FSETID",
"CAP_FOWNER",
"CAP_MKNOD",
"CAP_NET_RAW",
"CAP_SETGID",
"CAP_SETUID",
"CAP_SETFCAP",
"CAP_SETPCAP",
"CAP_NET_BIND_SERVICE",
"CAP_SYS_CHROOT",
"CAP_KILL",
"CAP_AUDIT_WRITE",
},
Ambient: []string{
"CAP_CHOWN",
"CAP_DAC_OVERRIDE",
Expand Down
5 changes: 0 additions & 5 deletions libcontainer/specconv/example.go
Original file line number Diff line number Diff line change
Expand Up @@ -41,11 +41,6 @@ func Example() *specs.Spec {
"CAP_KILL",
"CAP_NET_BIND_SERVICE",
},
Inheritable: []string{
"CAP_AUDIT_WRITE",
"CAP_KILL",
"CAP_NET_BIND_SERVICE",
},
Ambient: []string{
"CAP_AUDIT_WRITE",
"CAP_KILL",
Expand Down

0 comments on commit d04de3a

Please sign in to comment.