packages/lxc
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
lxc/0024-remove-process-inheritable-capability.patch
songbuhuang 38800f4f7d fix lxc write error message 
Signed-off-by: songbuhuang <544824346@qq.com>
2023-02-21 09:47:45 +08:00

28 lines
1.0 KiB
Diff
Raw Blame History

From d232c098c9a75fce2b7e6da55faa89cd546d3dc9 Mon Sep 17 00:00:00 2001
From: isuladci <isulad@ci.com>
Date: Tue, 31 Jan 2023 19:14:57 +0800
Subject: [PATCH] remove process inheritable capability
Signed-off-by: zhangxiaoyu <zhangxiaoyu58@huawei.com>
---
src/lxc/conf.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index 439601a..c478bf2 100644
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -5528,7 +5528,8 @@ int lxc_drop_caps(struct lxc_conf *conf)
if (caplist[i]) {
cap_data[CAP_TO_INDEX(i)].effective = cap_data[CAP_TO_INDEX(i)].effective | (i > 31 ? __DEF_CAP_TO_MASK(i % 32) : __DEF_CAP_TO_MASK(i));
cap_data[CAP_TO_INDEX(i)].permitted = cap_data[CAP_TO_INDEX(i)].permitted | (i > 31 ? __DEF_CAP_TO_MASK(i % 32) : __DEF_CAP_TO_MASK(i));
- cap_data[CAP_TO_INDEX(i)].inheritable = cap_data[CAP_TO_INDEX(i)].inheritable | (i > 31 ? __DEF_CAP_TO_MASK(i % 32) : __DEF_CAP_TO_MASK(i));
+ // fix CVE-2022-24769
+ // inheritable capability should be empty
}
}
--
2.25.1
Reference in New Issue View Git Blame Copy Permalink