Merge pull request #5996 from openshift-cherrypick-robot/cherry-pick-…

…5770-to-release-1.22 [release-1.22] capabilities: drop inheritable
cri-o · Jun 27, 2022 · 3dbcd3c · 3dbcd3c
2 parents c972b0a + af70823
commit 3dbcd3c
Showing 1 changed file with 3 additions and 12 deletions.
diff --git a/server/container_create.go b/server/container_create.go
@@ -292,6 +292,9 @@ func setupCapabilities(specgen *generate.Generator, caps *types.Capability, defa
 	// and pods expect that switching to a non-root user results in the capabilities being
 	// dropped. This should be revisited in the future.
 	specgen.Config.Process.Capabilities.Ambient = []string{}
+	// Also remove all inheritable capabilities in accordance with CVE-2022-27652,
+	// as it's not idiomatic for a manager of processes to set them.
+	specgen.Config.Process.Capabilities.Inheritable = []string{}
 
 	if caps == nil {
 		return nil
@@ -329,9 +332,6 @@ func setupCapabilities(specgen *generate.Generator, caps *types.Capability, defa
 			if err := specgen.AddProcessCapabilityEffective(c); err != nil {
 				return err
 			}
-			if err := specgen.AddProcessCapabilityInheritable(c); err != nil {
-				return err
-			}
 			if err := specgen.AddProcessCapabilityPermitted(c); err != nil {
 				return err
 			}
@@ -345,9 +345,6 @@ func setupCapabilities(specgen *generate.Generator, caps *types.Capability, defa
 			if err := specgen.DropProcessCapabilityEffective(c); err != nil {
 				return err
 			}
-			if err := specgen.DropProcessCapabilityInheritable(c); err != nil {
-				return err
-			}
 			if err := specgen.DropProcessCapabilityPermitted(c); err != nil {
 				return err
 			}
@@ -369,9 +366,6 @@ func setupCapabilities(specgen *generate.Generator, caps *types.Capability, defa
 		if err := specgen.AddProcessCapabilityEffective(capPrefixed); err != nil {
 			return err
 		}
-		if err := specgen.AddProcessCapabilityInheritable(capPrefixed); err != nil {
-			return err
-		}
 		if err := specgen.AddProcessCapabilityPermitted(capPrefixed); err != nil {
 			return err
 		}
@@ -388,9 +382,6 @@ func setupCapabilities(specgen *generate.Generator, caps *types.Capability, defa
 		if err := specgen.DropProcessCapabilityEffective(capPrefixed); err != nil {
 			return fmt.Errorf("failed to drop cap %s %v", capPrefixed, err)
 		}
-		if err := specgen.DropProcessCapabilityInheritable(capPrefixed); err != nil {
-			return fmt.Errorf("failed to drop cap %s %v", capPrefixed, err)
-		}
 		if err := specgen.DropProcessCapabilityPermitted(capPrefixed); err != nil {
 			return fmt.Errorf("failed to drop cap %s %v", capPrefixed, err)
 		}