46 lines
1.5 KiB
Diff
46 lines
1.5 KiB
Diff
From d940c8e738ce011bbfafdc6ef8af6516f8ee2191 Mon Sep 17 00:00:00 2001
|
|
From: Vanient <xiadanni1@huawei.com>
|
|
Date: Mon, 6 Jun 2022 20:23:46 +0800
|
|
Subject: [PATCH] runc: fix CVE-2022-29162
|
|
|
|
do not set inheritable capabilities
|
|
upstream:https://github.com/opencontainers/runc/commit/98fe566c527479195ce3c8167136d2a555fe6b65
|
|
|
|
Signed-off-by: Vanient <xiadanni1@huawei.com>
|
|
---
|
|
exec.go | 1 -
|
|
libcontainer/specconv/example.go | 5 -----
|
|
2 files changed, 6 deletions(-)
|
|
|
|
diff --git a/exec.go b/exec.go
|
|
index 9ed90ea..5e5ce00 100644
|
|
--- a/exec.go
|
|
+++ b/exec.go
|
|
@@ -176,7 +176,6 @@ func getProcess(context *cli.Context, bundle string) (*specs.Process, error) {
|
|
if caps := context.StringSlice("cap"); len(caps) > 0 {
|
|
for _, c := range caps {
|
|
p.Capabilities.Bounding = append(p.Capabilities.Bounding, c)
|
|
- p.Capabilities.Inheritable = append(p.Capabilities.Inheritable, c)
|
|
p.Capabilities.Effective = append(p.Capabilities.Effective, c)
|
|
p.Capabilities.Permitted = append(p.Capabilities.Permitted, c)
|
|
p.Capabilities.Ambient = append(p.Capabilities.Ambient, c)
|
|
diff --git a/libcontainer/specconv/example.go b/libcontainer/specconv/example.go
|
|
index 9a4460c..973ea79 100644
|
|
--- a/libcontainer/specconv/example.go
|
|
+++ b/libcontainer/specconv/example.go
|
|
@@ -46,11 +46,6 @@ func Example() *specs.Spec {
|
|
"CAP_KILL",
|
|
"CAP_NET_BIND_SERVICE",
|
|
},
|
|
- Inheritable: []string{
|
|
- "CAP_AUDIT_WRITE",
|
|
- "CAP_KILL",
|
|
- "CAP_NET_BIND_SERVICE",
|
|
- },
|
|
Ambient: []string{
|
|
"CAP_AUDIT_WRITE",
|
|
"CAP_KILL",
|
|
--
|
|
2.27.0
|
|
|