effective and permitted capability sets cannot be taken into account #979
Description
#675 introduced the ability to specify capabilities for each of the Linux capability sets:
- bounding
- permitted
- inheritable
- effective
- ambient
But this is very generic and not possible to implement meaningfully in a container runtime because:
effectiveandpermittedcannot be passed to the container because the kernel will reset them during the exec of the pid1 process in the container (see details in Transformation of capabilities during execve()), so that's not really useful.- all combinations are not possible, e.g. each
ambientcap has to be in bothpermittedandeffective.
To test this in practice, I use runc run --bundle=$PWD foo | grep Cap with the command cat /proc/self/status in config.json:
# runc run --bundle=$PWD foo | grep Cap
CapInh: 00000000a80425fb
CapPrm: 00000000a80425fb
CapEff: 00000000a80425fb
CapBnd: 00000000a80425fb
CapAmb: 00000000a80425fa
# capsh --decode=00000000a80425fb
0x00000000a80425fb=cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap
# capsh --decode=00000000a80425fa
0x00000000a80425fa=cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap
In this test, I had a config.json with CAP_CHOWN in the bounding, inheritable and ambient sets but not in the effective and permitted sets. But confusingly, the cap appears in the effective and permitted sets but not in the ambient set. With the rules in Transformation of capabilities during execve()), that's the expected behaviour.
| Specified in config.json | Tested in the container | |
|---|---|---|
| bounding | ✔ | ✔ |
| effective | ✔ | |
| inheritable | ✔ | ✔ |
| permitted | ✔ | |
| ambient | ✔ |
But there is no point in defining the effective and permitted sets in config.json since it will not be taken into account in practice.