From e7e55c988c05dd74005184ceb64f097a0cfe645b Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano Date: Mon, 28 Feb 2022 10:38:48 +0100 Subject: [PATCH] do not set the inheritable capabilities The kernel never sets the inheritable capabilities for a process, they are only set by userspace. Emulate the same behavior. Closes: CVE-2022-27651 Signed-off-by: Giuseppe Scrivano --- chroot/run.go | 2 +- run_linux.go | 6 ------ 2 files changed, 1 insertion(+), 7 deletions(-) diff --git a/chroot/run.go b/chroot/run.go index badb51e34..dcfbd0f24 100644 --- a/chroot/run.go +++ b/chroot/run.go @@ -897,7 +897,7 @@ func setCapabilities(spec *specs.Spec, keepCaps ...string) error { capMap := map[capability.CapType][]string{ capability.BOUNDING: spec.Process.Capabilities.Bounding, capability.EFFECTIVE: spec.Process.Capabilities.Effective, - capability.INHERITABLE: spec.Process.Capabilities.Inheritable, + capability.INHERITABLE: []string{}, capability.PERMITTED: spec.Process.Capabilities.Permitted, capability.AMBIENT: spec.Process.Capabilities.Ambient, } diff --git a/run_linux.go b/run_linux.go index 794636bf4..eb9adbfb6 100644 --- a/run_linux.go +++ b/run_linux.go @@ -1964,9 +1964,6 @@ func setupCapAdd(g *generate.Generator, caps ...string) error { if err := g.AddProcessCapabilityEffective(cap); err != nil { return errors.Wrapf(err, "error adding %q to the effective capability set", cap) } - if err := g.AddProcessCapabilityInheritable(cap); err != nil { - return errors.Wrapf(err, "error adding %q to the inheritable capability set", cap) - } if err := g.AddProcessCapabilityPermitted(cap); err != nil { return errors.Wrapf(err, "error adding %q to the permitted capability set", cap) } @@ -1985,9 +1982,6 @@ func setupCapDrop(g *generate.Generator, caps ...string) error { if err := g.DropProcessCapabilityEffective(cap); err != nil { return errors.Wrapf(err, "error removing %q from the effective capability set", cap) } - if err := g.DropProcessCapabilityInheritable(cap); err != nil { - return errors.Wrapf(err, "error removing %q from the inheritable capability set", cap) - } if err := g.DropProcessCapabilityPermitted(cap); err != nil { return errors.Wrapf(err, "error removing %q from the permitted capability set", cap) }