CVE-2022-29162 runc: do not set inheritable capabilities

debian/changelog

@@ -1,3 +1,9 @@
+runc (1.1.0-ok2) yangtze; urgency=medium
+
+  * yangfs215 CVE-2022-29162 runc: do not set inheritable capabilities
+
+ -- yangfengsheng <yangfs@whu.edu.cn>  Tue, 18 Jul 2023 00:10:28 +0800
+
 runc (1.1.0-ok1) yangtze; urgency=medium
 
   * Merge new upstream version 1.1.0 

exec.go

@@ -224,7 +224,6 @@ func getProcess(context *cli.Context, bundle string) (*specs.Process, error) {
 	if caps := context.StringSlice("cap"); len(caps) > 0 {
 		for _, c := range caps {
 			p.Capabilities.Bounding = append(p.Capabilities.Bounding, c)
-			p.Capabilities.Inheritable = append(p.Capabilities.Inheritable, c)
 			p.Capabilities.Effective = append(p.Capabilities.Effective, c)
 			p.Capabilities.Permitted = append(p.Capabilities.Permitted, c)
 			p.Capabilities.Ambient = append(p.Capabilities.Ambient, c)

libcontainer/README.md

@@ -96,22 +96,6 @@ config := &configs.Config{
 			"CAP_KILL",
 			"CAP_AUDIT_WRITE",
 		},
-		Inheritable: []string{
-			"CAP_CHOWN",
-			"CAP_DAC_OVERRIDE",
-			"CAP_FSETID",
-			"CAP_FOWNER",
-			"CAP_MKNOD",
-			"CAP_NET_RAW",
-			"CAP_SETGID",
-			"CAP_SETUID",
-			"CAP_SETFCAP",
-			"CAP_SETPCAP",
-			"CAP_NET_BIND_SERVICE",
-			"CAP_SYS_CHROOT",
-			"CAP_KILL",
-			"CAP_AUDIT_WRITE",
-		},
 		Permitted: []string{
 			"CAP_CHOWN",
 			"CAP_DAC_OVERRIDE",

libcontainer/integration/exec_test.go

@@ -364,7 +364,6 @@ func TestProcessCaps(t *testing.T) {
 	pconfig.Capabilities.Bounding = append(config.Capabilities.Bounding, "CAP_NET_ADMIN")
 	pconfig.Capabilities.Permitted = append(config.Capabilities.Permitted, "CAP_NET_ADMIN")
 	pconfig.Capabilities.Effective = append(config.Capabilities.Effective, "CAP_NET_ADMIN")
-	pconfig.Capabilities.Inheritable = append(config.Capabilities.Inheritable, "CAP_NET_ADMIN")
 	err = container.Run(&pconfig)
 	ok(t, err)
 
@@ -1409,7 +1408,6 @@ func TestRootfsPropagationSharedMount(t *testing.T) {
 	pconfig2.Capabilities.Bounding = append(config.Capabilities.Bounding, "CAP_SYS_ADMIN")
 	pconfig2.Capabilities.Permitted = append(config.Capabilities.Permitted, "CAP_SYS_ADMIN")
 	pconfig2.Capabilities.Effective = append(config.Capabilities.Effective, "CAP_SYS_ADMIN")
-	pconfig2.Capabilities.Inheritable = append(config.Capabilities.Inheritable, "CAP_SYS_ADMIN")
 
 	err = container.Run(pconfig2)
 	_ = stdinR2.Close()

libcontainer/integration/template_test.go

@@ -75,22 +75,6 @@ func newTemplateConfig(t *testing.T, p *tParam) *configs.Config {
 				"CAP_KILL",
 				"CAP_AUDIT_WRITE",
 			},
-			Inheritable: []string{
-				"CAP_CHOWN",
-				"CAP_DAC_OVERRIDE",
-				"CAP_FSETID",
-				"CAP_FOWNER",
-				"CAP_MKNOD",
-				"CAP_NET_RAW",
-				"CAP_SETGID",
-				"CAP_SETUID",
-				"CAP_SETFCAP",
-				"CAP_SETPCAP",
-				"CAP_NET_BIND_SERVICE",
-				"CAP_SYS_CHROOT",
-				"CAP_KILL",
-				"CAP_AUDIT_WRITE",
-			},
 			Ambient: []string{
 				"CAP_CHOWN",
 				"CAP_DAC_OVERRIDE",

libcontainer/specconv/example.go

@@ -41,11 +41,6 @@ func Example() *specs.Spec {
 					"CAP_KILL",
 					"CAP_NET_BIND_SERVICE",
 				},
-				Inheritable: []string{
-					"CAP_AUDIT_WRITE",
-					"CAP_KILL",
-					"CAP_NET_BIND_SERVICE",
-				},
 				Ambient: []string{
 					"CAP_AUDIT_WRITE",
 					"CAP_KILL",