Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Do not try to acquire capabilities we are not allowed to #2000

Merged
merged 1 commit into from
Jun 6, 2023
Merged

Do not try to acquire capabilities we are not allowed to #2000

merged 1 commit into from
Jun 6, 2023

Conversation

jprendes
Copy link
Contributor

@jprendes jprendes commented Jun 2, 2023
edited
Loading

Currently reset_effective tries to acquire all know capabilities from a hardcoded list.
According to https://man7.org/linux/man-pages/man7/capabilities.7.html only capabilities in the permitted set can be acquired.
Trying to acquire a capability beyond those in the permitted set will result in EPERM (see https://man7.org/linux/man-pages/man2/capset.2.html).
This change modifies reset_effective so that it only acquires the capabilities in the permitted set.
This change is intended to fix #1999.

@codecov-commenter
Copy link

codecov-commenter commented Jun 2, 2023
edited
Loading

Codecov Report

Merging #2000 (b0fbe71) into main (cb75d26) will decrease coverage by 0.02%.
The diff coverage is 100.00%.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #2000      +/-   ##
==========================================
- Coverage   65.28%   65.26%   -0.02%     
==========================================
  Files         129      129              
  Lines       14784    14802      +18     
==========================================
+ Hits         9651     9661      +10     
- Misses       5133     5141       +8

@jprendes jprendes changed the title Do not set all capabilities before dropping them Do not try to acquire capabilities we are not allowed to Jun 5, 2023
@jprendes jprendes marked this pull request as ready for review June 5, 2023 16:17
@jprendes
Do not try to acquire capabilities we are not allowed to
b0fbe71 
Signed-off-by: Jorge Prendes <jorge.prendes@gmail.com>
@yihuaf yihuaf merged commit 2ff8b97 into containers:main Jun 6, 2023
@jprendes jprendes deleted the fix-caps branch June 6, 2023 08:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yihuaf yihuaf yihuaf approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Youki fails when some unused capability is missing
3 participants
@jprendes @codecov-commenter @yihuaf