From 581c6ae008a3ff1f36f00572371326b0d86efd9c Mon Sep 17 00:00:00 2001
From: zhangxiaoyu <zhangxiaoyu58@huawei.com>
Date: Tue, 21 Feb 2023 10:38:45 +0800
Subject: [PATCH] remove process inheritable capability

Signed-off-by: zhangxiaoyu <zhangxiaoyu58@huawei.com>
---
 src/lxc/conf.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index 7f98811..19cf5e3 100644
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -5284,7 +5284,8 @@ int lxc_drop_caps(struct lxc_conf *conf)
 		if (caplist[i]) {
 			cap_data[CAP_TO_INDEX(i)].effective = cap_data[CAP_TO_INDEX(i)].effective | (i > 31 ? __DEF_CAP_TO_MASK(i % 32) : __DEF_CAP_TO_MASK(i));
 			cap_data[CAP_TO_INDEX(i)].permitted = cap_data[CAP_TO_INDEX(i)].permitted | (i > 31 ? __DEF_CAP_TO_MASK(i % 32) : __DEF_CAP_TO_MASK(i));
-			cap_data[CAP_TO_INDEX(i)].inheritable = cap_data[CAP_TO_INDEX(i)].inheritable | (i > 31 ? __DEF_CAP_TO_MASK(i % 32) : __DEF_CAP_TO_MASK(i));
+			// fix CVE-2022-24769
+			// inheritable capability should be empty
 		}
 	}
 
-- 
2.25.1