Overview

File 0008-run-Don-t-set-ambient-capabilities.patch of Package buildah.41306

From ff47463a5a70c165a7dba43280b16b4222231a94 Mon Sep 17 00:00:00 2001
From: Danish Prakash <contact@danishpraka.sh>
Date: Fri, 24 Oct 2025 22:46:20 +0530
Subject: [PATCH 8/8] run: Don't set ambient capabilities

Ambient capabilities can't be raised without inheritable ones, and since we
don't raise inheritable, we should not raise ambient either.

This went unnoticed because of a bug in syndtr/gocapability which is
only fixed in its fork (see the next commit).

Amends commit e7e55c988.

Bugs: bsc#1252543

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Signed-off-by: Danish Prakash <contact@danishpraka.sh>
---
 chroot/run_linux.go | 2 +-
 run_linux.go        | 6 ------
 2 files changed, 1 insertion(+), 7 deletions(-)

diff --git a/chroot/run_linux.go b/chroot/run_linux.go
index dae4b717c395..f05304337c35 100644
--- a/chroot/run_linux.go
+++ b/chroot/run_linux.go
@@ -181,7 +181,7 @@ func setCapabilities(spec *specs.Spec, keepCaps ...string) error {
 		capability.EFFECTIVE:   spec.Process.Capabilities.Effective,
 		capability.INHERITABLE: []string{},
 		capability.PERMITTED:   spec.Process.Capabilities.Permitted,
-		capability.AMBIENT:     spec.Process.Capabilities.Ambient,
+		capability.AMBIENT:     {},
 	}
 	knownCaps := capability.List()
 	noCap := capability.Cap(-1)
diff --git a/run_linux.go b/run_linux.go
index a270cdb413ed..67f0275e80d2 100644
--- a/run_linux.go
+++ b/run_linux.go
@@ -1118,9 +1118,6 @@ func setupCapAdd(g *generate.Generator, caps ...string) error {
 		if err := g.AddProcessCapabilityPermitted(cap); err != nil {
 			return fmt.Errorf("adding %q to the permitted capability set: %w", cap, err)
 		}
-		if err := g.AddProcessCapabilityAmbient(cap); err != nil {
-			return fmt.Errorf("adding %q to the ambient capability set: %w", cap, err)
-		}
 	}
 	return nil
 }
@@ -1136,9 +1133,6 @@ func setupCapDrop(g *generate.Generator, caps ...string) error {
 		if err := g.DropProcessCapabilityPermitted(cap); err != nil {
 			return fmt.Errorf("removing %q from the permitted capability set: %w", cap, err)
 		}
-		if err := g.DropProcessCapabilityAmbient(cap); err != nil {
-			return fmt.Errorf("removing %q from the ambient capability set: %w", cap, err)
-		}
 	}
 	return nil
 }
-- 
2.51.0
openSUSE Build Service is sponsored by
Places