project-lakitu/app-emulation/runc/files/1.0.0-runc-do-not-set-inheritable-capabilities.patch - cos/overlays/board-overlays - Git at Google

 From 98fe566c527479195ce3c8167136d2a555fe6b65 Mon Sep 17 00:00:00 2001
 From: Kir Kolyshkin <kolyshkin@gmail.com>
 Date: Tue, 1 Mar 2022 12:04:43 -0800
 Subject: [PATCH] runc: do not set inheritable capabilities

 Do not set inheritable capabilities in runc spec, runc exec --cap,
 and in libcontainer integration tests.

 Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
 ---
  exec.go                                   |  1 -
  libcontainer/README.md                    | 16 ----------------
  libcontainer/integration/exec_test.go     |  2 --
  libcontainer/integration/template_test.go | 16 ----------------
  libcontainer/specconv/example.go          |  5 -----
  5 files changed, 40 deletions(-)

 diff --git a/exec.go b/exec.go
 index cdc9859c..982520f7 100644
 --- a/exec.go
 +++ b/exec.go
 @@ -227,7 +227,6 @@ func getProcess(context *cli.Context, bundle string) (*specs.Process, error) {
  	if caps := context.StringSlice("cap"); len(caps) > 0 {
  		for _, c := range caps {
  			p.Capabilities.Bounding = append(p.Capabilities.Bounding, c)
 -			p.Capabilities.Inheritable = append(p.Capabilities.Inheritable, c)
  			p.Capabilities.Effective = append(p.Capabilities.Effective, c)
  			p.Capabilities.Permitted = append(p.Capabilities.Permitted, c)
  			p.Capabilities.Ambient = append(p.Capabilities.Ambient, c)
 diff --git a/libcontainer/README.md b/libcontainer/README.md
 index addd6a95..20a215dc 100644
 --- a/libcontainer/README.md
 +++ b/libcontainer/README.md
 @@ -84,22 +84,6 @@ config := &configs.Config{
  			"CAP_KILL",
  			"CAP_AUDIT_WRITE",
  		},
 -		Inheritable: []string{
 -			"CAP_CHOWN",
 -			"CAP_DAC_OVERRIDE",
 -			"CAP_FSETID",
 -			"CAP_FOWNER",
 -			"CAP_MKNOD",
 -			"CAP_NET_RAW",
 -			"CAP_SETGID",
 -			"CAP_SETUID",
 -			"CAP_SETFCAP",
 -			"CAP_SETPCAP",
 -			"CAP_NET_BIND_SERVICE",
 -			"CAP_SYS_CHROOT",
 -			"CAP_KILL",
 -			"CAP_AUDIT_WRITE",
 -		},
  		Permitted: []string{
  			"CAP_CHOWN",
  			"CAP_DAC_OVERRIDE",
 diff --git a/libcontainer/integration/exec_test.go b/libcontainer/integration/exec_test.go
 index d91201e5..cb5c1b70 100644
 --- a/libcontainer/integration/exec_test.go
 +++ b/libcontainer/integration/exec_test.go
 @@ -364,7 +364,6 @@ func TestProcessCaps(t *testing.T) {
  	pconfig.Capabilities.Bounding = append(config.Capabilities.Bounding, "CAP_NET_ADMIN")
  	pconfig.Capabilities.Permitted = append(config.Capabilities.Permitted, "CAP_NET_ADMIN")
  	pconfig.Capabilities.Effective = append(config.Capabilities.Effective, "CAP_NET_ADMIN")
 -	pconfig.Capabilities.Inheritable = append(config.Capabilities.Inheritable, "CAP_NET_ADMIN")
  	err = container.Run(&pconfig)
  	ok(t, err)

 @@ -1360,7 +1359,6 @@ func TestRootfsPropagationSharedMount(t *testing.T) {
  	pconfig2.Capabilities.Bounding = append(config.Capabilities.Bounding, "CAP_SYS_ADMIN")
  	pconfig2.Capabilities.Permitted = append(config.Capabilities.Permitted, "CAP_SYS_ADMIN")
  	pconfig2.Capabilities.Effective = append(config.Capabilities.Effective, "CAP_SYS_ADMIN")
 -	pconfig2.Capabilities.Inheritable = append(config.Capabilities.Inheritable, "CAP_SYS_ADMIN")

  	err = container.Run(pconfig2)
  	_ = stdinR2.Close()
 diff --git a/libcontainer/integration/template_test.go b/libcontainer/integration/template_test.go
 index f56db895..0e054b55 100644
 --- a/libcontainer/integration/template_test.go
 +++ b/libcontainer/integration/template_test.go
 @@ -75,22 +75,6 @@ func newTemplateConfig(t *testing.T, p *tParam) *configs.Config {
  				"CAP_KILL",
  				"CAP_AUDIT_WRITE",
  			},
 -			Inheritable: []string{
 -				"CAP_CHOWN",
 -				"CAP_DAC_OVERRIDE",
 -				"CAP_FSETID",
 -				"CAP_FOWNER",
 -				"CAP_MKNOD",
 -				"CAP_NET_RAW",
 -				"CAP_SETGID",
 -				"CAP_SETUID",
 -				"CAP_SETFCAP",
 -				"CAP_SETPCAP",
 -				"CAP_NET_BIND_SERVICE",
 -				"CAP_SYS_CHROOT",
 -				"CAP_KILL",
 -				"CAP_AUDIT_WRITE",
 -			},
  			Ambient: []string{
  				"CAP_CHOWN",
  				"CAP_DAC_OVERRIDE",
 diff --git a/libcontainer/specconv/example.go b/libcontainer/specconv/example.go
 index 56bab3bf..152d938a 100644
 --- a/libcontainer/specconv/example.go
 +++ b/libcontainer/specconv/example.go
 @@ -41,11 +41,6 @@ func Example() *specs.Spec {
  					"CAP_KILL",
  					"CAP_NET_BIND_SERVICE",
  				},
 -				Inheritable: []string{
 -					"CAP_AUDIT_WRITE",
 -					"CAP_KILL",
 -					"CAP_NET_BIND_SERVICE",
 -				},
  				Ambient: []string{
  					"CAP_AUDIT_WRITE",
  					"CAP_KILL",
 --
 2.36.1.476.g0c4daa206d-goog
	From 98fe566c527479195ce3c8167136d2a555fe6b65 Mon Sep 17 00:00:00 2001
	From: Kir Kolyshkin <kolyshkin@gmail.com>
	Date: Tue, 1 Mar 2022 12:04:43 -0800
	Subject: [PATCH] runc: do not set inheritable capabilities

	Do not set inheritable capabilities in runc spec, runc exec --cap,
	and in libcontainer integration tests.

	Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
	---
	exec.go \| 1 -
	libcontainer/README.md \| 16 ----------------
	libcontainer/integration/exec_test.go \| 2 --
	libcontainer/integration/template_test.go \| 16 ----------------
	libcontainer/specconv/example.go \| 5 -----
	5 files changed, 40 deletions(-)

	diff --git a/exec.go b/exec.go
	index cdc9859c..982520f7 100644
	--- a/exec.go
	+++ b/exec.go
	@@ -227,7 +227,6 @@ func getProcess(context cli.Context, bundle string) (specs.Process, error) {
	if caps := context.StringSlice("cap"); len(caps) > 0 {
	for _, c := range caps {
	p.Capabilities.Bounding = append(p.Capabilities.Bounding, c)
	- p.Capabilities.Inheritable = append(p.Capabilities.Inheritable, c)
	p.Capabilities.Effective = append(p.Capabilities.Effective, c)
	p.Capabilities.Permitted = append(p.Capabilities.Permitted, c)
	p.Capabilities.Ambient = append(p.Capabilities.Ambient, c)
	diff --git a/libcontainer/README.md b/libcontainer/README.md
	index addd6a95..20a215dc 100644
	--- a/libcontainer/README.md
	+++ b/libcontainer/README.md
	@@ -84,22 +84,6 @@ config := &configs.Config{
	"CAP_KILL",
	"CAP_AUDIT_WRITE",
	},
	- Inheritable: []string{
	- "CAP_CHOWN",
	- "CAP_DAC_OVERRIDE",
	- "CAP_FSETID",
	- "CAP_FOWNER",
	- "CAP_MKNOD",
	- "CAP_NET_RAW",
	- "CAP_SETGID",
	- "CAP_SETUID",
	- "CAP_SETFCAP",
	- "CAP_SETPCAP",
	- "CAP_NET_BIND_SERVICE",
	- "CAP_SYS_CHROOT",
	- "CAP_KILL",
	- "CAP_AUDIT_WRITE",
	- },
	Permitted: []string{
	"CAP_CHOWN",
	"CAP_DAC_OVERRIDE",
	diff --git a/libcontainer/integration/exec_test.go b/libcontainer/integration/exec_test.go
	index d91201e5..cb5c1b70 100644
	--- a/libcontainer/integration/exec_test.go
	+++ b/libcontainer/integration/exec_test.go
	@@ -364,7 +364,6 @@ func TestProcessCaps(t *testing.T) {
	pconfig.Capabilities.Bounding = append(config.Capabilities.Bounding, "CAP_NET_ADMIN")
	pconfig.Capabilities.Permitted = append(config.Capabilities.Permitted, "CAP_NET_ADMIN")
	pconfig.Capabilities.Effective = append(config.Capabilities.Effective, "CAP_NET_ADMIN")
	- pconfig.Capabilities.Inheritable = append(config.Capabilities.Inheritable, "CAP_NET_ADMIN")
	err = container.Run(&pconfig)
	ok(t, err)

	@@ -1360,7 +1359,6 @@ func TestRootfsPropagationSharedMount(t *testing.T) {
	pconfig2.Capabilities.Bounding = append(config.Capabilities.Bounding, "CAP_SYS_ADMIN")
	pconfig2.Capabilities.Permitted = append(config.Capabilities.Permitted, "CAP_SYS_ADMIN")
	pconfig2.Capabilities.Effective = append(config.Capabilities.Effective, "CAP_SYS_ADMIN")
	- pconfig2.Capabilities.Inheritable = append(config.Capabilities.Inheritable, "CAP_SYS_ADMIN")

	err = container.Run(pconfig2)
	_ = stdinR2.Close()
	diff --git a/libcontainer/integration/template_test.go b/libcontainer/integration/template_test.go
	index f56db895..0e054b55 100644
	--- a/libcontainer/integration/template_test.go
	+++ b/libcontainer/integration/template_test.go
	@@ -75,22 +75,6 @@ func newTemplateConfig(t testing.T, p tParam) *configs.Config {
	"CAP_KILL",
	"CAP_AUDIT_WRITE",
	},
	- Inheritable: []string{
	- "CAP_CHOWN",
	- "CAP_DAC_OVERRIDE",
	- "CAP_FSETID",
	- "CAP_FOWNER",
	- "CAP_MKNOD",
	- "CAP_NET_RAW",
	- "CAP_SETGID",
	- "CAP_SETUID",
	- "CAP_SETFCAP",
	- "CAP_SETPCAP",
	- "CAP_NET_BIND_SERVICE",
	- "CAP_SYS_CHROOT",
	- "CAP_KILL",
	- "CAP_AUDIT_WRITE",
	- },
	Ambient: []string{
	"CAP_CHOWN",
	"CAP_DAC_OVERRIDE",
	diff --git a/libcontainer/specconv/example.go b/libcontainer/specconv/example.go
	index 56bab3bf..152d938a 100644
	--- a/libcontainer/specconv/example.go
	+++ b/libcontainer/specconv/example.go
	@@ -41,11 +41,6 @@ func Example() *specs.Spec {
	"CAP_KILL",
	"CAP_NET_BIND_SERVICE",
	},
	- Inheritable: []string{
	- "CAP_AUDIT_WRITE",
	- "CAP_KILL",
	- "CAP_NET_BIND_SERVICE",
	- },
	Ambient: []string{
	"CAP_AUDIT_WRITE",
	"CAP_KILL",
	--
	2.36.1.476.g0c4daa206d-goog