capabilities: be more graceful in resetting ambient

Similar to when SetAmbient() can fail, runc should be graceful about ResetAmbient failing. This functionality previously worked under gvisor, which doesn't implement ambient capabilities atm. The hard error on reset broke gvisor usage. Signed-off-by: Evan Phoenix <evan@phx.io>
2025-10-29 18:21:47 +08:00 · 2025-01-19 19:45:59 -08:00
parent 71cef22161
commit 54fa0c5577
1 changed files with 8 additions and 2 deletions
--- a/libcontainer/capabilities/capabilities.go
+++ b/libcontainer/capabilities/capabilities.go
@@ -3,10 +3,12 @@
 package capabilities

 import (
+	"errors"
 	"fmt"
 	"sort"
 	"strings"
 	"sync"
+	"syscall"

 	"github.com/moby/sys/capability"
 	"github.com/opencontainers/runc/libcontainer/configs"
@@ -129,9 +131,13 @@ func (c *Caps) ApplyCaps() error {
 	// don't return any errors, only warn.
 	ambs := c.caps[capability.AMBIENT]
 	err := capability.ResetAmbient()
-	if err != nil {
-		return fmt.Errorf("can't reset ambient capabilities: %w", err)
+
+	// EINVAL is returned when the kernel doesn't support ambient capabilities.
+	// We ignore this because runc supports running on older kernels.
+	if err != nil && !errors.Is(err, syscall.EINVAL) {
+		return err
 	}
+
 	for _, a := range ambs {
 		err := capability.SetAmbient(true, a)
 		if err != nil {