Merge pull request from GHSA-2mm7-x5h6-5pvq

thaJeztah · web-flow · commit 2bbc786e4c59 · 2022-03-23T22:10:17.000+01:00
oci: inheritable capability set should be empty
diff --git a/daemon/exec_linux.go b/daemon/exec_linux.go
@@ -19,13 +19,11 @@ func (daemon *Daemon) execSetPlatformOpt(c *container.Container, ec *exec.Config
 		}
 	}
 	if ec.Privileged {
-		if p.Capabilities == nil {
-			p.Capabilities = &specs.LinuxCapabilities{}
+		p.Capabilities = &specs.LinuxCapabilities{
+			Bounding:  caps.GetAllCapabilities(),
+			Permitted: caps.GetAllCapabilities(),
+			Effective: caps.GetAllCapabilities(),
 		}
-		p.Capabilities.Bounding = caps.GetAllCapabilities()
-		p.Capabilities.Permitted = p.Capabilities.Bounding
-		p.Capabilities.Inheritable = p.Capabilities.Bounding
-		p.Capabilities.Effective = p.Capabilities.Bounding
 	}
 	if apparmor.HostSupports() {
 		var appArmorProfile string
diff --git a/oci/defaults.go b/oci/defaults.go
@@ -36,10 +36,9 @@ func DefaultLinuxSpec() specs.Spec {
 		Version: specs.Version,
 		Process: &specs.Process{
 			Capabilities: &specs.LinuxCapabilities{
-				Bounding:    caps.DefaultCapabilities(),
-				Permitted:   caps.DefaultCapabilities(),
-				Inheritable: caps.DefaultCapabilities(),
-				Effective:   caps.DefaultCapabilities(),
+				Bounding:  caps.DefaultCapabilities(),
+				Permitted: caps.DefaultCapabilities(),
+				Effective: caps.DefaultCapabilities(),
 			},
 		},
 		Root: &specs.Root{},
diff --git a/oci/oci.go b/oci/oci.go
@@ -17,17 +17,21 @@ import (
 var deviceCgroupRuleRegex = regexp.MustCompile("^([acb]) ([0-9]+|\\*):([0-9]+|\\*) ([rwm]{1,3})$")
 
 // SetCapabilities sets the provided capabilities on the spec
-// All capabilities are added if privileged is true
+// All capabilities are added if privileged is true.
 func SetCapabilities(s *specs.Spec, caplist []string) error {
-	s.Process.Capabilities.Effective = caplist
-	s.Process.Capabilities.Bounding = caplist
-	s.Process.Capabilities.Permitted = caplist
-	s.Process.Capabilities.Inheritable = caplist
 	// setUser has already been executed here
-	// if non root drop capabilities in the way execve does
-	if s.Process.User.UID != 0 {
-		s.Process.Capabilities.Effective = []string{}
-		s.Process.Capabilities.Permitted = []string{}
+	if s.Process.User.UID == 0 {
+		s.Process.Capabilities = &specs.LinuxCapabilities{
+			Effective: caplist,
+			Bounding:  caplist,
+			Permitted: caplist,
+		}
+	} else {
+		// Do not set Effective and Permitted capabilities for non-root users,
+		// to match what execve does.
+		s.Process.Capabilities = &specs.LinuxCapabilities{
+			Bounding: caplist,
+		}
 	}
 	return nil
 }

Original file line number	Diff line number	Diff line change
`@@ -19,13 +19,11 @@ func (daemon Daemon) execSetPlatformOpt(c container.Container, ec *exec.Config`
`19`	`19`	`}`
`20`	`20`	`}`
`21`	`21`	`if ec.Privileged {`
`22`		`- if p.Capabilities == nil {`
`23`		`- p.Capabilities = &specs.LinuxCapabilities{}`
	`22`	`+ p.Capabilities = &specs.LinuxCapabilities{`
	`23`	`+ Bounding: caps.GetAllCapabilities(),`
	`24`	`+ Permitted: caps.GetAllCapabilities(),`
	`25`	`+ Effective: caps.GetAllCapabilities(),`
`24`	`26`	`}`
`25`		`- p.Capabilities.Bounding = caps.GetAllCapabilities()`
`26`		`- p.Capabilities.Permitted = p.Capabilities.Bounding`
`27`		`- p.Capabilities.Inheritable = p.Capabilities.Bounding`
`28`		`- p.Capabilities.Effective = p.Capabilities.Bounding`
`29`	`27`	`}`
`30`	`28`	`if apparmor.HostSupports() {`
`31`	`29`	`var appArmorProfile string`