From a5cf9c9d9f1e1b9882833a8082110427be5615cd Mon Sep 17 00:00:00 2001
From: Giuseppe Scrivano <gscrivan@redhat.com>
Date: Mon, 28 Feb 2022 10:38:48 +0100
Subject: [PATCH 1/2] do not set the inheritable capabilities

The kernel never sets the inheritable capabilities for a process, they
are only set by userspace.  Emulate the same behavior.

Closes: CVE-2022-27651

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
---
 chroot/run.go | 2 +-
 run_linux.go  | 6 ------
 2 files changed, 1 insertion(+), 7 deletions(-)

diff --git a/chroot/run.go b/chroot/run.go
index 591003568..a633f7b99 100644
--- a/chroot/run.go
+++ b/chroot/run.go
@@ -894,7 +894,7 @@ func setCapabilities(spec *specs.Spec, keepCaps ...string) error {
 	capMap := map[capability.CapType][]string{
 		capability.BOUNDING:    spec.Process.Capabilities.Bounding,
 		capability.EFFECTIVE:   spec.Process.Capabilities.Effective,
-		capability.INHERITABLE: spec.Process.Capabilities.Inheritable,
+		capability.INHERITABLE: {},
 		capability.PERMITTED:   spec.Process.Capabilities.Permitted,
 		capability.AMBIENT:     spec.Process.Capabilities.Ambient,
 	}
diff --git a/run_linux.go b/run_linux.go
index bb4bf6ade..16de6bee7 100644
--- a/run_linux.go
+++ b/run_linux.go
@@ -1877,9 +1877,6 @@ func setupCapAdd(g *generate.Generator, caps ...string) error {
 		if err := g.AddProcessCapabilityEffective(cap); err != nil {
 			return errors.Wrapf(err, "error adding %q to the effective capability set", cap)
 		}
-		if err := g.AddProcessCapabilityInheritable(cap); err != nil {
-			return errors.Wrapf(err, "error adding %q to the inheritable capability set", cap)
-		}
 		if err := g.AddProcessCapabilityPermitted(cap); err != nil {
 			return errors.Wrapf(err, "error adding %q to the permitted capability set", cap)
 		}
@@ -1898,9 +1895,6 @@ func setupCapDrop(g *generate.Generator, caps ...string) error {
 		if err := g.DropProcessCapabilityEffective(cap); err != nil {
 			return errors.Wrapf(err, "error removing %q from the effective capability set", cap)
 		}
-		if err := g.DropProcessCapabilityInheritable(cap); err != nil {
-			return errors.Wrapf(err, "error removing %q from the inheritable capability set", cap)
-		}
 		if err := g.DropProcessCapabilityPermitted(cap); err != nil {
 			return errors.Wrapf(err, "error removing %q from the permitted capability set", cap)
 		}

From e91618828556c51127c474683e614310477cf9b2 Mon Sep 17 00:00:00 2001
From: Nalin Dahyabhai <nalin@redhat.com>
Date: Thu, 24 Mar 2022 16:32:47 -0400
Subject: [PATCH 2/2] Add a test for CVE-2022-27651

Check that the inheritable capabilities are set to 0, even when we
explicitly try to add capabilities.

Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
---
 tests/run.bats | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/tests/run.bats b/tests/run.bats
index 9e9607893..2d41aae47 100644
--- a/tests/run.bats
+++ b/tests/run.bats
@@ -646,3 +646,16 @@ _EOF
 	uncolored="$output"
 	[ "$colored" != "$uncolored" ]
 }
+
+@test "run-inheritable-capabilities" {
+	skip_if_no_runtime
+
+	_prefetch alpine
+
+	run_buildah from --quiet --pull=false --signature-policy ${TESTSDIR}/policy.json alpine
+	cid=$output
+	run_buildah run $cid grep ^CapInh: /proc/self/status
+	expect_output "CapInh:	0000000000000000"
+	run_buildah run --cap-add=ALL $cid grep ^CapInh: /proc/self/status
+	expect_output "CapInh:	0000000000000000"
+}