do not set the inheritable capabilities

giuseppe · giuseppe · commit e7e55c988c05 · 2022-03-23T09:09:39.000+01:00
The kernel never sets the inheritable capabilities for a process, they are only set by userspace. Emulate the same behavior. Closes: CVE-2022-27651 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
diff --git a/chroot/run.go b/chroot/run.go
@@ -897,7 +897,7 @@ func setCapabilities(spec *specs.Spec, keepCaps ...string) error {
 	capMap := map[capability.CapType][]string{
 		capability.BOUNDING:    spec.Process.Capabilities.Bounding,
 		capability.EFFECTIVE:   spec.Process.Capabilities.Effective,
-		capability.INHERITABLE: spec.Process.Capabilities.Inheritable,
+		capability.INHERITABLE: []string{},
 		capability.PERMITTED:   spec.Process.Capabilities.Permitted,
 		capability.AMBIENT:     spec.Process.Capabilities.Ambient,
 	}
diff --git a/run_linux.go b/run_linux.go
@@ -1964,9 +1964,6 @@ func setupCapAdd(g *generate.Generator, caps ...string) error {
 		if err := g.AddProcessCapabilityEffective(cap); err != nil {
 			return errors.Wrapf(err, "error adding %q to the effective capability set", cap)
 		}
-		if err := g.AddProcessCapabilityInheritable(cap); err != nil {
-			return errors.Wrapf(err, "error adding %q to the inheritable capability set", cap)
-		}
 		if err := g.AddProcessCapabilityPermitted(cap); err != nil {
 			return errors.Wrapf(err, "error adding %q to the permitted capability set", cap)
 		}
@@ -1985,9 +1982,6 @@ func setupCapDrop(g *generate.Generator, caps ...string) error {
 		if err := g.DropProcessCapabilityEffective(cap); err != nil {
 			return errors.Wrapf(err, "error removing %q from the effective capability set", cap)
 		}
-		if err := g.DropProcessCapabilityInheritable(cap); err != nil {
-			return errors.Wrapf(err, "error removing %q from the inheritable capability set", cap)
-		}
 		if err := g.DropProcessCapabilityPermitted(cap); err != nil {
 			return errors.Wrapf(err, "error removing %q from the permitted capability set", cap)
 		}

Original file line number	Diff line number	Diff line change
`@@ -897,7 +897,7 @@ func setCapabilities(spec *specs.Spec, keepCaps ...string) error {`
`897`	`897`	`capMap := map[capability.CapType][]string{`
`898`	`898`	`capability.BOUNDING: spec.Process.Capabilities.Bounding,`
`899`	`899`	`capability.EFFECTIVE: spec.Process.Capabilities.Effective,`
`900`		`- capability.INHERITABLE: spec.Process.Capabilities.Inheritable,`
	`900`	`+ capability.INHERITABLE: []string{},`
`901`	`901`	`capability.PERMITTED: spec.Process.Capabilities.Permitted,`
`902`	`902`	`capability.AMBIENT: spec.Process.Capabilities.Ambient,`
`903`	`903`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1964,9 +1964,6 @@ func setupCapAdd(g *generate.Generator, caps ...string) error {`
`1964`	`1964`	`if err := g.AddProcessCapabilityEffective(cap); err != nil {`
`1965`	`1965`	`return errors.Wrapf(err, "error adding %q to the effective capability set", cap)`
`1966`	`1966`	`}`
`1967`		`- if err := g.AddProcessCapabilityInheritable(cap); err != nil {`
`1968`		`- return errors.Wrapf(err, "error adding %q to the inheritable capability set", cap)`
`1969`		`- }`
`1970`	`1967`	`if err := g.AddProcessCapabilityPermitted(cap); err != nil {`
`1971`	`1968`	`return errors.Wrapf(err, "error adding %q to the permitted capability set", cap)`
`1972`	`1969`	`}`
`@@ -1985,9 +1982,6 @@ func setupCapDrop(g *generate.Generator, caps ...string) error {`
`1985`	`1982`	`if err := g.DropProcessCapabilityEffective(cap); err != nil {`
`1986`	`1983`	`return errors.Wrapf(err, "error removing %q from the effective capability set", cap)`
`1987`	`1984`	`}`
`1988`		`- if err := g.DropProcessCapabilityInheritable(cap); err != nil {`
`1989`		`- return errors.Wrapf(err, "error removing %q from the inheritable capability set", cap)`
`1990`		`- }`
`1991`	`1985`	`if err := g.DropProcessCapabilityPermitted(cap); err != nil {`
`1992`	`1986`	`return errors.Wrapf(err, "error removing %q from the permitted capability set", cap)`
`1993`	`1987`	`}`