tests: integration: fix capability setting for CAP_DAC_OVERRIDE

Due to the way capabilities have to be set by runc, capabilities need to be included in the inheritable and ambient sets anyway. Otherwise, the container process would not have the correct privileges. This test only functioned because adding CAP_DAC_OVERRIDE to the inherited, permissible, and bounding sets means that only "runc init" has these capabilities -- everything other than the bounding set is cleared on the first execve(). This breaks with runc-dmz, but the behaviour was broken from the outset. Docker appears to not handle this properly at all (the logic for capability sets changed with the introduction of ambient capabilities, and while Docker was updated it seems the behaviour is still incorrect for non-root users). Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-09-26 19:41:35 +08:00 · 2023-08-19 00:01:55 +10:00
parent b9a4727f54
commit 6be763eeaa
1 changed files with 2 additions and 0 deletions
--- a/tests/integration/start_hello.bats
+++ b/tests/integration/start_hello.bats
@@ -58,6 +58,8 @@ function teardown() {
 	# Enable CAP_DAC_OVERRIDE.
 	update_config '	  .process.capabilities.bounding += ["CAP_DAC_OVERRIDE"]
 			| .process.capabilities.effective += ["CAP_DAC_OVERRIDE"]
+			| .process.capabilities.inheritable += ["CAP_DAC_OVERRIDE"]
+			| .process.capabilities.ambient += ["CAP_DAC_OVERRIDE"]
 			| .process.capabilities.permitted += ["CAP_DAC_OVERRIDE"]'

 	runc run test_busybox