Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Don't set ambient caps without inheritable ones #4367

Merged
merged 3 commits into from
Sep 26, 2024
Merged

Don't set ambient caps without inheritable ones #4367

merged 3 commits into from
Sep 26, 2024

Commits on Sep 26, 2024

  1. runc exec --cap: do not add capabilities to ambient 

    Commit 98fe566 removed setting inheritable capabilities from runc exec
--cap, but neglected to also remove ambient capabilities.

An ambient capability could only be set if the same inheritable
capability is set, so as a result of the above change ambient
capabilities were not set (but due to a bug in gocapability package,
those errors are never reported).

Once we start using a library with the fix [1], that bug will become
apparent. Alas, we do not have any tests for runc exec --cap, so add
one.

Yet, if some inheritable bits are already set from spec, let's set
ambient to avoid a possible regression. Add a test case for that, too.

[1]: kolyshkin/capability#3

Fixes: 98fe566 ("runc: do not set inheritable capabilities")
Co-authored-by: lifubang <lifubang@acmcoder.com>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
    @kolyshkin @lifubang
    kolyshkin and lifubang committed Sep 26, 2024
    Configuration menu
    Copy the full SHA
    3e3f960 View commit details
    Browse the repository at this point in the history

  2. runc spec, libct/int: do not add ambient capabilities 

    Commit 98fe566 removed inheritable capabilities from the example spec
(used by runc spec) and from the libcontainer/integration test config,
but neglected to also remove ambient capabilities.

An ambient capability could only be set if the same inheritable
capability is set, so as a result of the above change ambient
capabilities were not set (but due to a bug in gocapability package,
those errors are never reported).

Once we start using a library with the fix [1], that bug will become
apparent (both bats-based and libct/int tests will fail).

[1]: kolyshkin/capability#3

Fixes: 98fe566 ("runc: do not set inheritable capabilities")
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
    @kolyshkin
    kolyshkin committed Sep 26, 2024
    Configuration menu
    Copy the full SHA
    0de1953 View commit details
    Browse the repository at this point in the history

  3. libct/README: simplify example, rm inheritable caps 

    The example is too long since it lists too many capabilities.
Simplify it, leaving only two capabilities.

Also, remove ambient capabilities from the set. Inheritable capabilities
were removed earlier by commit 98fe566, but ambient capabilities can't
be raised without inheritable ones.

Fixes: 98fe566
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
    @kolyshkin
    kolyshkin committed Sep 26, 2024
    Configuration menu
    Copy the full SHA
    7a44910 View commit details
    Browse the repository at this point in the history