podman
1//go:build !remote2package libpod4import (6"github.com/containers/common/pkg/capabilities"7"github.com/moby/sys/user"8spec "github.com/opencontainers/runtime-spec/specs-go"9)10func (c *Container) setProcessCapabilitiesExec(options *ExecOptions, user string, execUser *user.ExecUser, pspec *spec.Process) error {12ctrSpec, err := c.specFromState()13if err != nil {14return err15}16allCaps, err := capabilities.BoundingSet()18if err != nil {19return err20}21if options.Privileged {22pspec.Capabilities.Bounding = allCaps23} else {24pspec.Capabilities.Bounding = ctrSpec.Process.Capabilities.Bounding25}26// Always unset the inheritable capabilities similarly to what the Linux kernel does28// They are used only when using capabilities with uid != 0.29pspec.Capabilities.Inheritable = []string{}30if execUser.Uid == 0 {32pspec.Capabilities.Effective = pspec.Capabilities.Bounding33pspec.Capabilities.Permitted = pspec.Capabilities.Bounding34} else if user == c.config.User {35pspec.Capabilities.Effective = ctrSpec.Process.Capabilities.Effective36pspec.Capabilities.Inheritable = ctrSpec.Process.Capabilities.Effective37pspec.Capabilities.Permitted = ctrSpec.Process.Capabilities.Effective38pspec.Capabilities.Ambient = ctrSpec.Process.Capabilities.Effective39}40return nil41}42