Overview

File 0010-vendor-buildah-Don-t-set-ambient-capabilities.patch of Package podman.41273

From 61336ca74f4a34cc768617cf5539496e53f5c2c2 Mon Sep 17 00:00:00 2001
From: Danish Prakash <contact@danishpraka.sh>
Date: Fri, 24 Oct 2025 22:33:47 +0530
Subject: [PATCH 10/11] vendor/buildah: Don't set ambient capabilities

Ambient capabilities can't be raised without inheritable ones, and since we
don't raise inheritable, we should not raise ambient either.

This went unnoticed because of a bug in syndtr/gocapability which is
only fixed in its fork (see the next commit).

Amends commit e7e55c988.

Bugs: bsc#1252543

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Signed-off-by: Danish Prakash <contact@danishpraka.sh>
---
 vendor/github.com/containers/buildah/chroot/run_linux.go | 2 +-
 vendor/github.com/containers/buildah/run_linux.go        | 6 ------
 2 files changed, 1 insertion(+), 7 deletions(-)

diff --git a/vendor/github.com/containers/buildah/chroot/run_linux.go b/vendor/github.com/containers/buildah/chroot/run_linux.go
index dae4b717c395..f05304337c35 100644
--- a/vendor/github.com/containers/buildah/chroot/run_linux.go
+++ b/vendor/github.com/containers/buildah/chroot/run_linux.go
@@ -181,7 +181,7 @@ func setCapabilities(spec *specs.Spec, keepCaps ...string) error {
 		capability.EFFECTIVE:   spec.Process.Capabilities.Effective,
 		capability.INHERITABLE: []string{},
 		capability.PERMITTED:   spec.Process.Capabilities.Permitted,
-		capability.AMBIENT:     spec.Process.Capabilities.Ambient,
+		capability.AMBIENT:     {},
 	}
 	knownCaps := capability.List()
 	noCap := capability.Cap(-1)
diff --git a/vendor/github.com/containers/buildah/run_linux.go b/vendor/github.com/containers/buildah/run_linux.go
index 69c51c1ed96d..65a6c1ed4875 100644
--- a/vendor/github.com/containers/buildah/run_linux.go
+++ b/vendor/github.com/containers/buildah/run_linux.go
@@ -1033,9 +1033,6 @@ func setupCapAdd(g *generate.Generator, caps ...string) error {
 		if err := g.AddProcessCapabilityPermitted(cap); err != nil {
 			return fmt.Errorf("adding %q to the permitted capability set: %w", cap, err)
 		}
-		if err := g.AddProcessCapabilityAmbient(cap); err != nil {
-			return fmt.Errorf("adding %q to the ambient capability set: %w", cap, err)
-		}
 	}
 	return nil
 }
@@ -1051,9 +1048,6 @@ func setupCapDrop(g *generate.Generator, caps ...string) error {
 		if err := g.DropProcessCapabilityPermitted(cap); err != nil {
 			return fmt.Errorf("removing %q from the permitted capability set: %w", cap, err)
 		}
-		if err := g.DropProcessCapabilityAmbient(cap); err != nil {
-			return fmt.Errorf("removing %q from the ambient capability set: %w", cap, err)
-		}
 	}
 	return nil
 }
-- 
2.51.0
openSUSE Build Service is sponsored by
Places