From d3bf68367fe708a1d74d89a8d57c9b85c4fd292d Mon Sep 17 00:00:00 2001
From: build <build@obs.com>
Date: Thu, 16 Jun 2022 09:53:40 +0800
Subject: [PATCH] CVE-2022-24769

Signed-off-by: build <build@obs.com>
---
 components/engine/daemon/exec_linux.go | 10 ++++------
 components/engine/daemon/oci.go        | 20 ++++++++++++--------
 components/engine/oci/defaults.go      |  1 -
 3 files changed, 16 insertions(+), 15 deletions(-)

diff --git a/components/engine/daemon/exec_linux.go b/components/engine/daemon/exec_linux.go
index cd52f48..8720aa9 100644
--- a/components/engine/daemon/exec_linux.go
+++ b/components/engine/daemon/exec_linux.go
@@ -21,13 +21,11 @@ func (daemon *Daemon) execSetPlatformOpt(c *container.Container, ec *exec.Config
 		}
 	}
 	if ec.Privileged {
-		if p.Capabilities == nil {
-			p.Capabilities = &specs.LinuxCapabilities{}
+		p.Capabilities = &specs.LinuxCapabilities{
+			Bounding:  caps.GetAllCapabilities(),
+			Permitted: caps.GetAllCapabilities(),
+			Effective: caps.GetAllCapabilities(),
 		}
-		p.Capabilities.Bounding = caps.GetAllCapabilities()
-		p.Capabilities.Permitted = p.Capabilities.Bounding
-		p.Capabilities.Inheritable = p.Capabilities.Bounding
-		p.Capabilities.Effective = p.Capabilities.Bounding
 	}
 	if apparmor.IsEnabled() {
 		var appArmorProfile string
diff --git a/components/engine/daemon/oci.go b/components/engine/daemon/oci.go
index 52050e2..4148e90 100644
--- a/components/engine/daemon/oci.go
+++ b/components/engine/daemon/oci.go
@@ -26,15 +26,19 @@ func setCapabilities(s *specs.Spec, c *container.Container) error {
 			return err
 		}
 	}
-	s.Process.Capabilities.Effective = caplist
-	s.Process.Capabilities.Bounding = caplist
-	s.Process.Capabilities.Permitted = caplist
-	s.Process.Capabilities.Inheritable = caplist
 	// setUser has already been executed here
-	// if non root drop capabilities in the way execve does
-	if s.Process.User.UID != 0 {
-		s.Process.Capabilities.Effective = []string{}
-		s.Process.Capabilities.Permitted = []string{}
+	if s.Process.User.UID == 0 {
+		s.Process.Capabilities = &specs.LinuxCapabilities{
+			Effective: caplist,
+			Bounding:  caplist,
+			Permitted: caplist,
+		}
+	} else {
+		// Do not set Effective and Permitted capabilities for non-root users,
+		// to match what execve does.
+		s.Process.Capabilities = &specs.LinuxCapabilities{
+			Bounding: caplist,
+		}
 	}
 	return nil
 }
diff --git a/components/engine/oci/defaults.go b/components/engine/oci/defaults.go
index ff027d8..57cbddb 100644
--- a/components/engine/oci/defaults.go
+++ b/components/engine/oci/defaults.go
@@ -61,7 +61,6 @@ func DefaultLinuxSpec() specs.Spec {
 			Capabilities: &specs.LinuxCapabilities{
 				Bounding:    defaultCapabilities(),
 				Permitted:   defaultCapabilities(),
-				Inheritable: defaultCapabilities(),
 				Effective:   defaultCapabilities(),
 			},
 		},
-- 
2.33.0