fix CVE-2022-24769

Signed-off-by: Rudy Zhang <[email protected]>

Author: rudyfly

daemon/mgr/container_exec.go

@@ -121,10 +121,9 @@ func (mgr *ContainerManager) StartExec(ctx context.Context, execid string, cfg *
 	if execConfig.Privileged {
 		capList := caps.GetAllCapabilities()
 		process.Capabilities = &specs.LinuxCapabilities{
-			Effective:   capList,
-			Bounding:    capList,
-			Permitted:   capList,
-			Inheritable: capList,
+			Effective: capList,
+			Bounding:  capList,
+			Permitted: capList,
 		}
 	} else if spec, err := mgr.getContainerSpec(c); err == nil {
 		// NOTE: if container is created by docker and taken over by pouchd,

daemon/mgr/spec_process.go

@@ -101,7 +101,6 @@ func setupCapabilities(ctx context.Context, hostConfig *types.HostConfig, s *spe
 	capabilities.Effective = caplist
 	capabilities.Bounding = caplist
 	capabilities.Permitted = caplist
-	capabilities.Inheritable = caplist
 
 	s.Process.Capabilities = capabilities
 	return nil

oci/spec_default.go

@@ -77,10 +77,9 @@ func NewDefaultSpec() *specs.Spec {
 
 	s.Process = &specs.Process{
 		Capabilities: &specs.LinuxCapabilities{
-			Bounding:    defaultCaps(),
-			Permitted:   defaultCaps(),
-			Inheritable: defaultCaps(),
-			Effective:   defaultCaps(),
+			Bounding:  defaultCaps(),
+			Permitted: defaultCaps(),
+			Effective: defaultCaps(),
 		},
 	}