From dd38613d0c8974438fa24b63fb6c540a66e7939c Mon Sep 17 00:00:00 2001
From: Samuel Karp <skarp@amazon.com>
Date: Mon, 31 Jan 2022 12:08:01 -0800
Subject: [PATCH] oci: inheritable capability set should be empty

The Linux kernel never sets the Inheritable capability flag to anything
other than empty.  Moby should have the same behavior, and leave it to
userspace code within the container to set a non-empty value if desired.

Reported-by: Andrew G. Morgan <morgan@kernel.org>
Signed-off-by: Samuel Karp <skarp@amazon.com>
(cherry picked from commit 0d9a37d0c249e871af0e667317be3169054a989f)
Signed-off-by: Samuel Karp <skarp@amazon.com>
---
 daemon/exec_linux.go | 10 ++++------
 oci/defaults.go      |  7 +++----
 oci/oci.go           | 22 +++++++++++++---------
 3 files changed, 20 insertions(+), 19 deletions(-)

diff --git a/daemon/exec_linux.go b/daemon/exec_linux.go
index e3aadb3326..44959a3998 100644
--- a/daemon/exec_linux.go
+++ b/daemon/exec_linux.go
@@ -19,13 +19,11 @@ func (daemon *Daemon) execSetPlatformOpt(c *container.Container, ec *exec.Config
 		}
 	}
 	if ec.Privileged {
-		if p.Capabilities == nil {
-			p.Capabilities = &specs.LinuxCapabilities{}
+		p.Capabilities = &specs.LinuxCapabilities{
+			Bounding:  caps.GetAllCapabilities(),
+			Permitted: caps.GetAllCapabilities(),
+			Effective: caps.GetAllCapabilities(),
 		}
-		p.Capabilities.Bounding = caps.GetAllCapabilities()
-		p.Capabilities.Permitted = p.Capabilities.Bounding
-		p.Capabilities.Inheritable = p.Capabilities.Bounding
-		p.Capabilities.Effective = p.Capabilities.Bounding
 	}
 	if apparmor.IsEnabled() {
 		var appArmorProfile string
diff --git a/oci/defaults.go b/oci/defaults.go
index 390618a89c..d593a0e3e9 100644
--- a/oci/defaults.go
+++ b/oci/defaults.go
@@ -41,10 +41,9 @@ func DefaultLinuxSpec() specs.Spec {
 		Version: specs.Version,
 		Process: &specs.Process{
 			Capabilities: &specs.LinuxCapabilities{
-				Bounding:    caps.DefaultCapabilities(),
-				Permitted:   caps.DefaultCapabilities(),
-				Inheritable: caps.DefaultCapabilities(),
-				Effective:   caps.DefaultCapabilities(),
+				Bounding:  caps.DefaultCapabilities(),
+				Permitted: caps.DefaultCapabilities(),
+				Effective: caps.DefaultCapabilities(),
 			},
 		},
 		Root: &specs.Root{},
diff --git a/oci/oci.go b/oci/oci.go
index fdc1e06de2..60227c2680 100644
--- a/oci/oci.go
+++ b/oci/oci.go
@@ -17,17 +17,21 @@ import (
 var deviceCgroupRuleRegex = regexp.MustCompile("^([acb]) ([0-9]+|\\*):([0-9]+|\\*) ([rwm]{1,3})$")
 
 // SetCapabilities sets the provided capabilities on the spec
-// All capabilities are added if privileged is true
+// All capabilities are added if privileged is true.
 func SetCapabilities(s *specs.Spec, caplist []string) error {
-	s.Process.Capabilities.Effective = caplist
-	s.Process.Capabilities.Bounding = caplist
-	s.Process.Capabilities.Permitted = caplist
-	s.Process.Capabilities.Inheritable = caplist
 	// setUser has already been executed here
-	// if non root drop capabilities in the way execve does
-	if s.Process.User.UID != 0 {
-		s.Process.Capabilities.Effective = []string{}
-		s.Process.Capabilities.Permitted = []string{}
+	if s.Process.User.UID == 0 {
+		s.Process.Capabilities = &specs.LinuxCapabilities{
+			Effective: caplist,
+			Bounding:  caplist,
+			Permitted: caplist,
+		}
+	} else {
+		// Do not set Effective and Permitted capabilities for non-root users,
+		// to match what execve does.
+		s.Process.Capabilities = &specs.LinuxCapabilities{
+			Bounding: caplist,
+		}
 	}
 	return nil
 }