podman
1//go:build !remote
2
3package libpod
4
5import (
6"github.com/containers/common/pkg/capabilities"
7"github.com/moby/sys/user"
8spec "github.com/opencontainers/runtime-spec/specs-go"
9)
10
11func (c *Container) setProcessCapabilitiesExec(options *ExecOptions, user string, execUser *user.ExecUser, pspec *spec.Process) error {
12ctrSpec, err := c.specFromState()
13if err != nil {
14return err
15}
16
17allCaps, err := capabilities.BoundingSet()
18if err != nil {
19return err
20}
21if options.Privileged {
22pspec.Capabilities.Bounding = allCaps
23} else {
24pspec.Capabilities.Bounding = ctrSpec.Process.Capabilities.Bounding
25}
26
27// Always unset the inheritable capabilities similarly to what the Linux kernel does
28// They are used only when using capabilities with uid != 0.
29pspec.Capabilities.Inheritable = []string{}
30
31if execUser.Uid == 0 {
32pspec.Capabilities.Effective = pspec.Capabilities.Bounding
33pspec.Capabilities.Permitted = pspec.Capabilities.Bounding
34} else if user == c.config.User {
35pspec.Capabilities.Effective = ctrSpec.Process.Capabilities.Effective
36pspec.Capabilities.Inheritable = ctrSpec.Process.Capabilities.Effective
37pspec.Capabilities.Permitted = ctrSpec.Process.Capabilities.Effective
38pspec.Capabilities.Ambient = ctrSpec.Process.Capabilities.Effective
39}
40return nil
41}
42