From 2ff8b97e676ebf848842df8fbc01f1b5c5c7b08c Mon Sep 17 00:00:00 2001 From: Jorge Prendes Date: Tue, 6 Jun 2023 09:26:33 +0100 Subject: [PATCH] Do not try to acquire capabilities we are not allowed to (#2000) Currently reset_effective tries to acquire all know capabilities from a hardcoded list. According to https://man7.org/linux/man-pages/man7/capabilities.7.html only capabilities in the permitted set can be acquired. Trying to acquire a capability beyond those in the permitted set will result in EPERM (see https://man7.org/linux/man-pages/man2/capset.2.html). This change modifies reset_effective so that it only acquires the capabilities in the permitted set. Signed-off-by: Jorge Prendes --- crates/libcontainer/src/capabilities.rs | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/crates/libcontainer/src/capabilities.rs b/crates/libcontainer/src/capabilities.rs index 71dca831c..d3962877f 100644 --- a/crates/libcontainer/src/capabilities.rs +++ b/crates/libcontainer/src/capabilities.rs @@ -125,7 +125,9 @@ impl CapabilityExt for SpecCapability { /// see for more information pub fn reset_effective(syscall: &S) -> Result<(), SyscallError> { tracing::debug!("reset all caps"); - syscall.set_capability(CapSet::Effective, &caps::all())?; + // permitted capabilities are all the capabilities that we are allowed to acquire + let permitted = caps::read(None, CapSet::Permitted)?; + syscall.set_capability(CapSet::Effective, &permitted)?; Ok(()) } @@ -172,13 +174,14 @@ mod tests { #[test] fn test_reset_effective() { let test_command = TestHelperSyscall::default(); + let permitted_caps = caps::read(None, CapSet::Permitted).unwrap(); assert!(reset_effective(&test_command).is_ok()); let set_capability_args: Vec<_> = test_command .get_set_capability_args() .into_iter() .map(|(_capset, caps)| caps) .collect(); - assert_eq!(set_capability_args, vec![caps::all()]); + assert_eq!(set_capability_args, vec![permitted_caps]); } #[test]