diff --git a/debian/changelog b/debian/changelog index 3a69717..b771c3e 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +runc (1.1.0-ok2) yangtze; urgency=medium + + * yangfs215 CVE-2022-29162 runc: do not set inheritable capabilities + + -- yangfengsheng Tue, 18 Jul 2023 00:10:28 +0800 + runc (1.1.0-ok1) yangtze; urgency=medium * Merge new upstream version 1.1.0 diff --git a/exec.go b/exec.go index 18c6bff..82adb80 100644 --- a/exec.go +++ b/exec.go @@ -224,7 +224,6 @@ func getProcess(context *cli.Context, bundle string) (*specs.Process, error) { if caps := context.StringSlice("cap"); len(caps) > 0 { for _, c := range caps { p.Capabilities.Bounding = append(p.Capabilities.Bounding, c) - p.Capabilities.Inheritable = append(p.Capabilities.Inheritable, c) p.Capabilities.Effective = append(p.Capabilities.Effective, c) p.Capabilities.Permitted = append(p.Capabilities.Permitted, c) p.Capabilities.Ambient = append(p.Capabilities.Ambient, c) diff --git a/libcontainer/README.md b/libcontainer/README.md index 13eee49..aedde77 100644 --- a/libcontainer/README.md +++ b/libcontainer/README.md @@ -96,22 +96,6 @@ config := &configs.Config{ "CAP_KILL", "CAP_AUDIT_WRITE", }, - Inheritable: []string{ - "CAP_CHOWN", - "CAP_DAC_OVERRIDE", - "CAP_FSETID", - "CAP_FOWNER", - "CAP_MKNOD", - "CAP_NET_RAW", - "CAP_SETGID", - "CAP_SETUID", - "CAP_SETFCAP", - "CAP_SETPCAP", - "CAP_NET_BIND_SERVICE", - "CAP_SYS_CHROOT", - "CAP_KILL", - "CAP_AUDIT_WRITE", - }, Permitted: []string{ "CAP_CHOWN", "CAP_DAC_OVERRIDE", diff --git a/libcontainer/integration/exec_test.go b/libcontainer/integration/exec_test.go index ada4f85..3da6d96 100644 --- a/libcontainer/integration/exec_test.go +++ b/libcontainer/integration/exec_test.go @@ -364,7 +364,6 @@ func TestProcessCaps(t *testing.T) { pconfig.Capabilities.Bounding = append(config.Capabilities.Bounding, "CAP_NET_ADMIN") pconfig.Capabilities.Permitted = append(config.Capabilities.Permitted, "CAP_NET_ADMIN") pconfig.Capabilities.Effective = append(config.Capabilities.Effective, "CAP_NET_ADMIN") - pconfig.Capabilities.Inheritable = append(config.Capabilities.Inheritable, "CAP_NET_ADMIN") err = container.Run(&pconfig) ok(t, err) @@ -1409,7 +1408,6 @@ func TestRootfsPropagationSharedMount(t *testing.T) { pconfig2.Capabilities.Bounding = append(config.Capabilities.Bounding, "CAP_SYS_ADMIN") pconfig2.Capabilities.Permitted = append(config.Capabilities.Permitted, "CAP_SYS_ADMIN") pconfig2.Capabilities.Effective = append(config.Capabilities.Effective, "CAP_SYS_ADMIN") - pconfig2.Capabilities.Inheritable = append(config.Capabilities.Inheritable, "CAP_SYS_ADMIN") err = container.Run(pconfig2) _ = stdinR2.Close() diff --git a/libcontainer/integration/template_test.go b/libcontainer/integration/template_test.go index f56db89..0e054b5 100644 --- a/libcontainer/integration/template_test.go +++ b/libcontainer/integration/template_test.go @@ -75,22 +75,6 @@ func newTemplateConfig(t *testing.T, p *tParam) *configs.Config { "CAP_KILL", "CAP_AUDIT_WRITE", }, - Inheritable: []string{ - "CAP_CHOWN", - "CAP_DAC_OVERRIDE", - "CAP_FSETID", - "CAP_FOWNER", - "CAP_MKNOD", - "CAP_NET_RAW", - "CAP_SETGID", - "CAP_SETUID", - "CAP_SETFCAP", - "CAP_SETPCAP", - "CAP_NET_BIND_SERVICE", - "CAP_SYS_CHROOT", - "CAP_KILL", - "CAP_AUDIT_WRITE", - }, Ambient: []string{ "CAP_CHOWN", "CAP_DAC_OVERRIDE", diff --git a/libcontainer/specconv/example.go b/libcontainer/specconv/example.go index 56bab3b..152d938 100644 --- a/libcontainer/specconv/example.go +++ b/libcontainer/specconv/example.go @@ -41,11 +41,6 @@ func Example() *specs.Spec { "CAP_KILL", "CAP_NET_BIND_SERVICE", }, - Inheritable: []string{ - "CAP_AUDIT_WRITE", - "CAP_KILL", - "CAP_NET_BIND_SERVICE", - }, Ambient: []string{ "CAP_AUDIT_WRITE", "CAP_KILL",