From d940c8e738ce011bbfafdc6ef8af6516f8ee2191 Mon Sep 17 00:00:00 2001
From: Vanient <xiadanni1@huawei.com>
Date: Mon, 6 Jun 2022 20:23:46 +0800
Subject: [PATCH] runc: fix CVE-2022-29162

do not set inheritable capabilities
upstream:https://github.com/opencontainers/runc/commit/98fe566c527479195ce3c8167136d2a555fe6b65

Signed-off-by: Vanient <xiadanni1@huawei.com>
---
 exec.go                          | 1 -
 libcontainer/specconv/example.go | 5 -----
 2 files changed, 6 deletions(-)

diff --git a/exec.go b/exec.go
index 9ed90ea..5e5ce00 100644
--- a/exec.go
+++ b/exec.go
@@ -176,7 +176,6 @@ func getProcess(context *cli.Context, bundle string) (*specs.Process, error) {
 	if caps := context.StringSlice("cap"); len(caps) > 0 {
 		for _, c := range caps {
 			p.Capabilities.Bounding = append(p.Capabilities.Bounding, c)
-			p.Capabilities.Inheritable = append(p.Capabilities.Inheritable, c)
 			p.Capabilities.Effective = append(p.Capabilities.Effective, c)
 			p.Capabilities.Permitted = append(p.Capabilities.Permitted, c)
 			p.Capabilities.Ambient = append(p.Capabilities.Ambient, c)
diff --git a/libcontainer/specconv/example.go b/libcontainer/specconv/example.go
index 9a4460c..973ea79 100644
--- a/libcontainer/specconv/example.go
+++ b/libcontainer/specconv/example.go
@@ -46,11 +46,6 @@ func Example() *specs.Spec {
 					"CAP_KILL",
 					"CAP_NET_BIND_SERVICE",
 				},
-				Inheritable: []string{
-					"CAP_AUDIT_WRITE",
-					"CAP_KILL",
-					"CAP_NET_BIND_SERVICE",
-				},
 				Ambient: []string{
 					"CAP_AUDIT_WRITE",
 					"CAP_KILL",
-- 
2.27.0