spec: do not set inheritable capabilities

Closes: CVE-2022-27650 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
containers · Mar 23, 2022 · b847d14 · b847d14
1 parent 03fccbb
commit b847d14
Showing 1 changed file with 0 additions and 3 deletions.
diff --git a/src/libcrun/container.c b/src/libcrun/container.c
@@ -120,9 +120,6 @@ static const char spec_file[] = "\
 				\"CAP_NET_BIND_SERVICE\"\n\
 			],\n\
 			\"inheritable\": [\n\
-				\"CAP_AUDIT_WRITE\",\n\
-				\"CAP_KILL\",\n\
-				\"CAP_NET_BIND_SERVICE\"\n\
 			],\n\
 			\"permitted\": [\n\
 				\"CAP_AUDIT_WRITE\",\n\