Skip to content

Commit 54fa0c5

Browse files
evanphxkolyshkin
evanphx
authored and
kolyshkin
committed
capabilities: be more graceful in resetting ambient
Similar to when SetAmbient() can fail, runc should be graceful about ResetAmbient failing. This functionality previously worked under gvisor, which doesn't implement ambient capabilities atm. The hard error on reset broke gvisor usage. Signed-off-by: Evan Phoenix <[email protected]>
1 parent 71cef22 commit 54fa0c5

File tree

1 file changed

+8
-2
lines changed

1 file changed

+8
-2
lines changed

libcontainer/capabilities/capabilities.go

Lines changed: 8 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -3,10 +3,12 @@
33
package capabilities
44

55
import (
6+
"errors"
67
"fmt"
78
"sort"
89
"strings"
910
"sync"
11+
"syscall"
1012

1113
"github.com/moby/sys/capability"
1214
"github.com/opencontainers/runc/libcontainer/configs"
@@ -129,9 +131,13 @@ func (c *Caps) ApplyCaps() error {
129131
// don't return any errors, only warn.
130132
ambs := c.caps[capability.AMBIENT]
131133
err := capability.ResetAmbient()
132-
if err != nil {
133-
return fmt.Errorf("can't reset ambient capabilities: %w", err)
134+
135+
// EINVAL is returned when the kernel doesn't support ambient capabilities.
136+
// We ignore this because runc supports running on older kernels.
137+
if err != nil && !errors.Is(err, syscall.EINVAL) {
138+
return err
134139
}
140+
135141
for _, a := range ambs {
136142
err := capability.SetAmbient(true, a)
137143
if err != nil {

0 commit comments

Comments
 (0)