do not set all capabilities before dropping them

Signed-off-by: Jorge Prendes <jorge.prendes@gmail.com>
youki-dev · Jun 2, 2023 · 70325ff · 70325ff
1 parent cb75d26
commit 70325ff
Show file tree

Hide file tree

Showing 3 changed files with 1 addition and 32 deletions.
diff --git a/crates/libcontainer/src/capabilities.rs b/crates/libcontainer/src/capabilities.rs
@@ -120,15 +120,6 @@ impl CapabilityExt for SpecCapability {
     }
 }
 
-/// reset capabilities of process calling this to effective capabilities
-/// effective capability set is set of capabilities used by kernel to perform checks
-/// see <https://man7.org/linux/man-pages/man7/capabilities.7.html> for more information
-pub fn reset_effective<S: Syscall + ?Sized>(syscall: &S) -> Result<(), SyscallError> {
-    tracing::debug!("reset all caps");
-    syscall.set_capability(CapSet::Effective, &caps::all())?;
-    Ok(())
-}
-
 /// Drop any extra granted capabilities, and reset to defaults which are in oci specification
 pub fn drop_privileges<S: Syscall + ?Sized>(
     cs: &LinuxCapabilities,
@@ -169,18 +160,6 @@ mod tests {
     use super::*;
     use crate::syscall::test::TestHelperSyscall;
 
-    #[test]
-    fn test_reset_effective() {
-        let test_command = TestHelperSyscall::default();
-        assert!(reset_effective(&test_command).is_ok());
-        let set_capability_args: Vec<_> = test_command
-            .get_set_capability_args()
-            .into_iter()
-            .map(|(_capset, caps)| caps)
-            .collect();
-        assert_eq!(set_capability_args, vec![caps::all()]);
-    }
-
     #[test]
     fn test_convert_oci_spec_to_caps_type() {
         struct Testcase {

diff --git a/crates/libcontainer/src/process/container_init_process.rs b/crates/libcontainer/src/process/container_init_process.rs
@@ -577,10 +577,6 @@ pub fn container_init_process(
         tracing::warn!("seccomp not available, unable to enforce no_new_privileges!")
     }
 
-    capabilities::reset_effective(syscall).map_err(|err| {
-        tracing::error!(?err, "failed to reset effective capabilities");
-        InitProcessError::SyscallOther(err)
-    })?;
     if let Some(caps) = proc.capabilities() {
         capabilities::drop_privileges(caps, syscall).map_err(|err| {
             tracing::error!(?err, "failed to drop capabilities");

diff --git a/crates/libcontainer/src/syscall/linux.rs b/crates/libcontainer/src/syscall/linux.rs
@@ -21,7 +21,7 @@ use std::sync::Arc;
 use std::{any::Any, mem, path::Path, ptr};
 
 use super::{Result, Syscall, SyscallError};
-use crate::{capabilities, utils};
+use crate::utils;
 
 // Flags used in mount_setattr(2).
 // see https://man7.org/linux/man-pages/man2/mount_setattr.2.html.
@@ -333,12 +333,6 @@ impl Syscall for LinuxSyscall {
             err
         })?;
 
-        // if not the root user, reset capabilities to effective capabilities,
-        // which are used by kernel to perform checks
-        // see https://man7.org/linux/man-pages/man7/capabilities.7.html for more information
-        if uid != Uid::from_raw(0) {
-            capabilities::reset_effective(self)?;
-        }
         prctl::set_keep_capabilities(false).map_err(|errno| {
             tracing::error!(?errno, "failed to set keep capabilities to false");
             nix::errno::from_i32(errno)