Support prctls PR_CAP_AMBIENT + PR_SET_SECUREBITS #6089

bnoordhuis · 2021-05-27T21:15:37Z

Description

We have code to drop ambient capabilities that looks like this:

prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_CLEAR_ALL, 0, 0, 0);
prctl(PR_SET_SECUREBITS, SECBIT_KEEP_CAPS_LOCKED | SECBIT_NOROOT /* | etc */);

Works great everywhere except under gVisor, where the prctls fail with EINVAL.

Environment

Whatever version of gVisor GCP's Cloud Run uses. A quick skim of the master branch suggests they're not supported there, either.

ianlewis · 2021-05-27T23:18:12Z

gVisor currently doesn't support ambient capabilities so we'd likely need to support them before supporting PR_CAP_AMBIENT
#3166

github-actions · 2023-09-13T00:22:48Z

A friendly reminder that this issue had no activity for 120 days.

github-actions · 2023-12-13T00:20:13Z

This issue has been closed due to lack of activity.

github-actions · 2024-05-18T00:17:52Z

A friendly reminder that this issue had no activity for 120 days.

bnoordhuis added the type: bug Something isn't working label May 27, 2021

github-actions bot added the stale-issue This issue has not been updated in 120 days. label Sep 13, 2023

github-actions bot added the auto-closed label Dec 13, 2023

github-actions bot closed this as completed Dec 13, 2023

milantracy reopened this Jan 18, 2024

ayushr2 removed stale-issue This issue has not been updated in 120 days. auto-closed labels Jan 18, 2024

github-actions bot added the stale-issue This issue has not been updated in 120 days. label May 18, 2024

Provide feedback