Skip to content

Commit 3dbcd3c

Browse files
openshift-ci[bot]openshift-ci[bot]
authored
Merge pull request #5996 from openshift-cherrypick-robot/cherry-pick-5770-to-release-1.22
[release-1.22] capabilities: drop inheritable
2 parents c972b0a + af70823 commit 3dbcd3c

File tree

1 file changed

+3
-12
lines changed

1 file changed

+3
-12
lines changed

server/container_create.go

Lines changed: 3 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -292,6 +292,9 @@ func setupCapabilities(specgen *generate.Generator, caps *types.Capability, defa
292292
// and pods expect that switching to a non-root user results in the capabilities being
293293
// dropped. This should be revisited in the future.
294294
specgen.Config.Process.Capabilities.Ambient = []string{}
295+
// Also remove all inheritable capabilities in accordance with CVE-2022-27652,
296+
// as it's not idiomatic for a manager of processes to set them.
297+
specgen.Config.Process.Capabilities.Inheritable = []string{}
295298

296299
if caps == nil {
297300
return nil
@@ -329,9 +332,6 @@ func setupCapabilities(specgen *generate.Generator, caps *types.Capability, defa
329332
if err := specgen.AddProcessCapabilityEffective(c); err != nil {
330333
return err
331334
}
332-
if err := specgen.AddProcessCapabilityInheritable(c); err != nil {
333-
return err
334-
}
335335
if err := specgen.AddProcessCapabilityPermitted(c); err != nil {
336336
return err
337337
}
@@ -345,9 +345,6 @@ func setupCapabilities(specgen *generate.Generator, caps *types.Capability, defa
345345
if err := specgen.DropProcessCapabilityEffective(c); err != nil {
346346
return err
347347
}
348-
if err := specgen.DropProcessCapabilityInheritable(c); err != nil {
349-
return err
350-
}
351348
if err := specgen.DropProcessCapabilityPermitted(c); err != nil {
352349
return err
353350
}
@@ -369,9 +366,6 @@ func setupCapabilities(specgen *generate.Generator, caps *types.Capability, defa
369366
if err := specgen.AddProcessCapabilityEffective(capPrefixed); err != nil {
370367
return err
371368
}
372-
if err := specgen.AddProcessCapabilityInheritable(capPrefixed); err != nil {
373-
return err
374-
}
375369
if err := specgen.AddProcessCapabilityPermitted(capPrefixed); err != nil {
376370
return err
377371
}
@@ -388,9 +382,6 @@ func setupCapabilities(specgen *generate.Generator, caps *types.Capability, defa
388382
if err := specgen.DropProcessCapabilityEffective(capPrefixed); err != nil {
389383
return fmt.Errorf("failed to drop cap %s %v", capPrefixed, err)
390384
}
391-
if err := specgen.DropProcessCapabilityInheritable(capPrefixed); err != nil {
392-
return fmt.Errorf("failed to drop cap %s %v", capPrefixed, err)
393-
}
394385
if err := specgen.DropProcessCapabilityPermitted(capPrefixed); err != nil {
395386
return fmt.Errorf("failed to drop cap %s %v", capPrefixed, err)
396387
}

0 commit comments

Comments
 (0)