root
/
buildah
mirror of https://github.com/containers/buildah.git
1
0
Fork 0
Code Issues Actions 2 Packages Projects Releases Wiki Activity

do not set the inheritable capabilities 

The kernel never sets the inheritable capabilities for a process, they
are only set by userspace.  Emulate the same behavior.

Closes: CVE-2022-27651

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
This commit is contained in:
Giuseppe Scrivano 2022-02-28 10:38:48 +01:00
parent f85e523322
commit e7e55c988c
No known key found for this signature in database
GPG Key ID: 67E38F7A8BA21772
2 changed files with 1 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
chroot/run.go
View File

@ -897,7 +897,7 @@ func setCapabilities(spec *specs.Spec, keepCaps ...string) error {
capMap := map[capability.CapType][]string{ capMap := map[capability.CapType][]string{
capability.BOUNDING: spec.Process.Capabilities.Bounding, capability.BOUNDING: spec.Process.Capabilities.Bounding,
capability.EFFECTIVE: spec.Process.Capabilities.Effective, capability.EFFECTIVE: spec.Process.Capabilities.Effective,
capability.INHERITABLE: spec.Process.Capabilities.Inheritable, capability.INHERITABLE: []string{},
capability.PERMITTED: spec.Process.Capabilities.Permitted, capability.PERMITTED: spec.Process.Capabilities.Permitted,
capability.AMBIENT: spec.Process.Capabilities.Ambient, capability.AMBIENT: spec.Process.Capabilities.Ambient,
} }

6
run_linux.go
View File

@ -1964,9 +1964,6 @@ func setupCapAdd(g *generate.Generator, caps ...string) error {
if err := g.AddProcessCapabilityEffective(cap); err != nil { if err := g.AddProcessCapabilityEffective(cap); err != nil {
return errors.Wrapf(err, "error adding %q to the effective capability set", cap) return errors.Wrapf(err, "error adding %q to the effective capability set", cap)
} }
if err := g.AddProcessCapabilityInheritable(cap); err != nil {
return errors.Wrapf(err, "error adding %q to the inheritable capability set", cap)
}
if err := g.AddProcessCapabilityPermitted(cap); err != nil { if err := g.AddProcessCapabilityPermitted(cap); err != nil {
return errors.Wrapf(err, "error adding %q to the permitted capability set", cap) return errors.Wrapf(err, "error adding %q to the permitted capability set", cap)
} }
@ -1985,9 +1982,6 @@ func setupCapDrop(g *generate.Generator, caps ...string) error {
if err := g.DropProcessCapabilityEffective(cap); err != nil { if err := g.DropProcessCapabilityEffective(cap); err != nil {
return errors.Wrapf(err, "error removing %q from the effective capability set", cap) return errors.Wrapf(err, "error removing %q from the effective capability set", cap)
} }
if err := g.DropProcessCapabilityInheritable(cap); err != nil {
return errors.Wrapf(err, "error removing %q from the inheritable capability set", cap)
}
if err := g.DropProcessCapabilityPermitted(cap); err != nil { if err := g.DropProcessCapabilityPermitted(cap); err != nil {
return errors.Wrapf(err, "error removing %q from the permitted capability set", cap) return errors.Wrapf(err, "error removing %q from the permitted capability set", cap)
} }