Skip to content

Commit

Permalink
runc exec --cap: do not add capabilities to ambient
Browse files Browse the repository at this point in the history 
Commit 98fe566 removed setting inheritable capabilities from runc exec
--cap, but neglected to also remove ambient capabilities.

An ambient capability could only be set if the same inheritable
capability is set, so as a result of the above change ambient
capabilities were not set (but due to a bug in gocapability package,
those errors are never reported).

Once we start using a library with the fix [1], that bug will become
apparent. Alas, we do not have any tests for runc exec --cap, so add
one.

[1]: kolyshkin/capability#3

Fixes: 98fe566 ("runc: do not set inheritable capabilities")
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
  • Loading branch information
@kolyshkin
kolyshkin committed Sep 12, 2024
1 parent f9f5764 commit 190cce2
Show file tree
Hide file tree
Showing 2 changed files with 23 additions and 1 deletion.
1 change: 0 additions & 1 deletion exec.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -234,7 +234,6 @@ func getProcess(context *cli.Context, bundle string) (*specs.Process, error) {
p.Capabilities.Bounding = append(p.Capabilities.Bounding, c)
p.Capabilities.Effective = append(p.Capabilities.Effective, c)
p.Capabilities.Permitted = append(p.Capabilities.Permitted, c)
p.Capabilities.Ambient = append(p.Capabilities.Ambient, c)
}
}
// append the passed env variables
Expand Down
23 changes: 23 additions & 0 deletions tests/integration/capabilities.bats
View file
Original file line number Diff line number Diff line change
Expand Up @@ -53,3 +53,26 @@ function teardown() {
[[ "${output}" == *"CapPrm: 0000000000200000"* ]]
[[ "${output}" == *"NoNewPrivs: 1"* ]]
}

@test "runc exec --cap" {
update_config ' .process.args = ["/bin/sh"]
| .process.capabilities = {}'
runc run -d --console-socket "$CONSOLE_SOCKET" test_exec_cap
[ "$status" -eq 0 ]

runc exec test_exec_cap cat /proc/self/status
[ "$status" -eq 0 ]
[[ "${output}" == *"CapInh: 0000000000000000"* ]]
[[ "${output}" == *"CapAmb: 0000000000000000"* ]]
[[ "${output}" == *"CapBnd: 0000000000000000"* ]]
[[ "${output}" == *"CapEff: 0000000000000000"* ]]
[[ "${output}" == *"CapPrm: 0000000000000000"* ]]

runc exec --cap CAP_KILL --cap CAP_AUDIT_WRITE test_exec_cap cat /proc/self/status
[ "$status" -eq 0 ]
[[ "${output}" == *"CapInh: 0000000000000000"* ]]
[[ "${output}" == *"CapAmb: 0000000000000000"* ]]
[[ "${output}" == *"CapBnd: 0000000020000020"* ]]
[[ "${output}" == *"CapEff: 0000000020000020"* ]]
[[ "${output}" == *"CapPrm: 0000000020000020"* ]]
}

0 comments on commit 190cce2

Please sign in to comment.