root
/
buildah
mirror of https://github.com/containers/buildah.git
1
0
Fork 0
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge pull request #4268 from nalind/inheritable-capabilities-1.21 

[release-1.21] do not set the inheritable capabilities
This commit is contained in:
OpenShift Merge Robot 2022-09-20 07:15:46 +02:00 committed by GitHub
parent 5b309c3dba e916188285
commit 7d5ca7dde2
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 14 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
chroot/run.go
View File

@ -894,7 +894,7 @@ func setCapabilities(spec *specs.Spec, keepCaps ...string) error {
capMap := map[capability.CapType][]string{
capability.BOUNDING: spec.Process.Capabilities.Bounding,
capability.EFFECTIVE: spec.Process.Capabilities.Effective,
capability.INHERITABLE: spec.Process.Capabilities.Inheritable,
capability.INHERITABLE: {},
capability.PERMITTED: spec.Process.Capabilities.Permitted,
capability.AMBIENT: spec.Process.Capabilities.Ambient,
}

6
run_linux.go
View File

@ -1877,9 +1877,6 @@ func setupCapAdd(g *generate.Generator, caps ...string) error {
if err := g.AddProcessCapabilityEffective(cap); err != nil {
return errors.Wrapf(err, "error adding %q to the effective capability set", cap)
}
if err := g.AddProcessCapabilityInheritable(cap); err != nil {
return errors.Wrapf(err, "error adding %q to the inheritable capability set", cap)
}
if err := g.AddProcessCapabilityPermitted(cap); err != nil {
return errors.Wrapf(err, "error adding %q to the permitted capability set", cap)
}
@ -1898,9 +1895,6 @@ func setupCapDrop(g *generate.Generator, caps ...string) error {
if err := g.DropProcessCapabilityEffective(cap); err != nil {
return errors.Wrapf(err, "error removing %q from the effective capability set", cap)
}
if err := g.DropProcessCapabilityInheritable(cap); err != nil {
return errors.Wrapf(err, "error removing %q from the inheritable capability set", cap)
}
if err := g.DropProcessCapabilityPermitted(cap); err != nil {
return errors.Wrapf(err, "error removing %q from the permitted capability set", cap)
}

13
tests/run.bats
View File

@ -646,3 +646,16 @@ _EOF
uncolored="$output"
[ "$colored" != "$uncolored" ]
}
@test "run-inheritable-capabilities" {
skip_if_no_runtime
_prefetch alpine
run_buildah from --quiet --pull=false --signature-policy ${TESTSDIR}/policy.json alpine
cid=$output
run_buildah run $cid grep ^CapInh: /proc/self/status
expect_output "CapInh: 0000000000000000"
run_buildah run --cap-add=ALL $cid grep ^CapInh: /proc/self/status
expect_output "CapInh: 0000000000000000"
}