Skip to content

Commit 53e943d

Browse files
kolyshkindashea
kolyshkin
authored and
dashea
committed
[release-1.21] Don't set ambient capabilities
Ambient capabilities can't be raised without inheritable ones, and since we don't raise inheritable, we should not raise ambient either. This went unnoticed because of a bug in syndtr/gocapability which is only fixed in its fork (see the next commit). Amends commit e7e55c9. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com> Signed-off-by: tomsweeneyredhat <tsweeney@redhat.com> Signed-off-by: David Shea <dshea@redhat.com>
1 parent 69f3939 commit 53e943d

File tree

2 files changed

+1
-7
lines changed

2 files changed

+1
-7
lines changed

chroot/run.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -896,7 +896,7 @@ func setCapabilities(spec *specs.Spec, keepCaps ...string) error {
896896
capability.EFFECTIVE: spec.Process.Capabilities.Effective,
897897
capability.INHERITABLE: {},
898898
capability.PERMITTED: spec.Process.Capabilities.Permitted,
899-
capability.AMBIENT: spec.Process.Capabilities.Ambient,
899+
capability.AMBIENT: {},
900900
}
901901
knownCaps := capability.List()
902902
caps.Clear(capability.CAPS | capability.BOUNDS | capability.AMBS)

run_linux.go

Lines changed: 0 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -1880,9 +1880,6 @@ func setupCapAdd(g *generate.Generator, caps ...string) error {
18801880
if err := g.AddProcessCapabilityPermitted(cap); err != nil {
18811881
return errors.Wrapf(err, "error adding %q to the permitted capability set", cap)
18821882
}
1883-
if err := g.AddProcessCapabilityAmbient(cap); err != nil {
1884-
return errors.Wrapf(err, "error adding %q to the ambient capability set", cap)
1885-
}
18861883
}
18871884
return nil
18881885
}
@@ -1898,9 +1895,6 @@ func setupCapDrop(g *generate.Generator, caps ...string) error {
18981895
if err := g.DropProcessCapabilityPermitted(cap); err != nil {
18991896
return errors.Wrapf(err, "error removing %q from the permitted capability set", cap)
19001897
}
1901-
if err := g.DropProcessCapabilityAmbient(cap); err != nil {
1902-
return errors.Wrapf(err, "error removing %q from the ambient capability set", cap)
1903-
}
19041898
}
19051899
return nil
19061900
}

0 commit comments

Comments
 (0)