Do not try to acquire capabilities we are not allowed to (#2000)

Currently reset_effective tries to acquire all know capabilities from a hardcoded list. According to https://man7.org/linux/man-pages/man7/capabilities.7.html only capabilities in the permitted set can be acquired. Trying to acquire a capability beyond those in the permitted set will result in EPERM (see https://man7.org/linux/man-pages/man2/capset.2.html). This change modifies reset_effective so that it only acquires the capabilities in the permitted set. Signed-off-by: Jorge Prendes <[email protected]>
youki-dev · Jun 6, 2023 · 2ff8b97 · 2ff8b97
1 parent 2427181
commit 2ff8b97
Showing 1 changed file with 5 additions and 2 deletions.
diff --git a/crates/libcontainer/src/capabilities.rs b/crates/libcontainer/src/capabilities.rs
@@ -125,7 +125,9 @@ impl CapabilityExt for SpecCapability {
 /// see <https://man7.org/linux/man-pages/man7/capabilities.7.html> for more information
 pub fn reset_effective<S: Syscall + ?Sized>(syscall: &S) -> Result<(), SyscallError> {
     tracing::debug!("reset all caps");
-    syscall.set_capability(CapSet::Effective, &caps::all())?;
+    // permitted capabilities are all the capabilities that we are allowed to acquire
+    let permitted = caps::read(None, CapSet::Permitted)?;
+    syscall.set_capability(CapSet::Effective, &permitted)?;
     Ok(())
 }
 
@@ -172,13 +174,14 @@ mod tests {
     #[test]
     fn test_reset_effective() {
         let test_command = TestHelperSyscall::default();
+        let permitted_caps = caps::read(None, CapSet::Permitted).unwrap();
         assert!(reset_effective(&test_command).is_ok());
         let set_capability_args: Vec<_> = test_command
             .get_set_capability_args()
             .into_iter()
             .map(|(_capset, caps)| caps)
             .collect();
-        assert_eq!(set_capability_args, vec![caps::all()]);
+        assert_eq!(set_capability_args, vec![permitted_caps]);
     }
 
     #[test]