diff options
| author | Samuel Karp <skarp@amazon.com> | 2022-01-31 12:08:01 -0800 |
|---|---|---|
| committer | Samuel Karp <skarp@amazon.com> | 2022-02-08 14:33:44 -0800 |
| commit | 0d9a37d0c249e871af0e667317be3169054a989f (patch) | |
| tree | c3a911223fe2a63a9505234e49786faebdcf9307 /daemon/exec_linux.go | |
| parent | 3c06ebd876687555fdf030a3307a66908c4fa57c (diff) | |
| download | docker-0d9a37d0c249e871af0e667317be3169054a989f.tar.gz | |
oci: inheritable capability set should be empty
The Linux kernel never sets the Inheritable capability flag to anything
other than empty. Moby should have the same behavior, and leave it to
userspace code within the container to set a non-empty value if desired.
Reported-by: Andrew G. Morgan <morgan@kernel.org>
Signed-off-by: Samuel Karp <skarp@amazon.com>
Diffstat (limited to 'daemon/exec_linux.go')
| -rw-r--r-- | daemon/exec_linux.go | 10 |
1 files changed, 4 insertions, 6 deletions
diff --git a/daemon/exec_linux.go b/daemon/exec_linux.go index b683fef7de..d0090d6097 100644 --- a/daemon/exec_linux.go +++ b/daemon/exec_linux.go @@ -19,13 +19,11 @@ func (daemon *Daemon) execSetPlatformOpt(c *container.Container, ec *exec.Config } } if ec.Privileged { - if p.Capabilities == nil { - p.Capabilities = &specs.LinuxCapabilities{} + p.Capabilities = &specs.LinuxCapabilities{ + Bounding: caps.GetAllCapabilities(), + Permitted: caps.GetAllCapabilities(), + Effective: caps.GetAllCapabilities(), } - p.Capabilities.Bounding = caps.GetAllCapabilities() - p.Capabilities.Permitted = p.Capabilities.Bounding - p.Capabilities.Inheritable = p.Capabilities.Bounding - p.Capabilities.Effective = p.Capabilities.Bounding } if apparmor.HostSupports() { var appArmorProfile string |