Temporarily disable CAP_PERFMON, CAP_BPF, and CAP_CHECKPOINT_RESTORE

This prevents docker from setting CAP_PERFMON, CAP_BPF, and CAP_CHECKPOINT_RESTORE
capabilities on privileged (or CAP_ALL) containers on Kernel 5.8 and up.

While these kernels support these capabilities, the current release of
runc ships with an older version of /gocapability/capability, and does
not know about them, causing an error to be produced.

We can remove this restriction once https://github.com/opencontainers/runc/commit/6dfbe9b80707b1ca188255e8def15263348e0f9a
is included in a runc release and once we stop supporting containerd 1.3.x
(which ships with runc v1.0.0-rc92).

Thanks to Anca Iordache for reporting.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

1 files changed, 12 insertions, 0 deletions

diff --git a/oci/caps/utils.go b/oci/caps/utils.go
index 4a8ed09e8d..e61e8584c3 100644
--- a/oci/caps/utils.go
+++ b/oci/caps/utils.go
@@ -16,6 +16,18 @@ func init() {
 	if last == capability.Cap(63) {
 		last = capability.CAP_BLOCK_SUSPEND
 	}
+	if last > capability.CAP_AUDIT_READ {
+		// Prevents docker from setting CAP_PERFMON, CAP_BPF, and CAP_CHECKPOINT_RESTORE
+		// capabilities on privileged (or CAP_ALL) containers on Kernel 5.8 and up.
+		// While these kernels support these capabilities, the current release of
+		// runc ships with an older version of /gocapability/capability, and does
+		// not know about them, causing an error to be produced.
+		//
+		// FIXME remove once https://github.com/opencontainers/runc/commit/6dfbe9b80707b1ca188255e8def15263348e0f9a
+		//       is included in a runc release and once we stop supporting containerd 1.3.x
+		//       (which ships with runc v1.0.0-rc92)
+		last = capability.CAP_AUDIT_READ
+	}
 	for _, cap := range capability.List() {
 		if cap > last {
 			continue