capability: can't raise ambient and drop bounding caps for other process

Signed-off-by: lfbzhm <[email protected]>
moby · Oct 13, 2024 · 3fb56d9 · 3fb56d9
1 parent e9445a4
commit 3fb56d9
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 0 deletions.
diff --git a/capability/capability.go b/capability/capability.go
@@ -8,6 +8,8 @@
 // Package capability provides utilities for manipulating POSIX capabilities.
 package capability
 
+import "errors"
+
 type Capabilities interface {
 	// Get check whether a capability present in the given
 	// capabilities set. The 'which' value should be one of EFFECTIVE,
@@ -61,6 +63,11 @@ type Capabilities interface {
 	Apply(kind CapType) error
 }
 
+var (
+	ErrBoundingNotMine = errors.New("not support drop bounding cap of other process")
+	ErrAmbientNotMine  = errors.New("not support modify ambient cap of other process")
+)
+
 // NewPid initializes a new [Capabilities] object for given pid when
 // it is nonzero, or for the current process if pid is 0.
 //

diff --git a/capability/capability_linux.go b/capability/capability_linux.go
@@ -334,6 +334,9 @@ func (c *capsV3) Apply(kind CapType) (err error) {
 	}
 	if kind&BOUNDS == BOUNDS {
 		var data [2]capData
+		if c.hdr.pid != 0 {
+			return ErrBoundingNotMine
+		}
 		err = capget(&c.hdr, &data[0])
 		if err != nil {
 			return
@@ -364,6 +367,9 @@ func (c *capsV3) Apply(kind CapType) (err error) {
 	}
 
 	if kind&AMBS == AMBS {
+		if c.hdr.pid != 0 {
+			return ErrAmbientNotMine
+		}
 		err = prctl(pr_CAP_AMBIENT, pr_CAP_AMBIENT_CLEAR_ALL, 0, 0, 0)
 		if err != nil && err != syscall.EINVAL { //nolint:errorlint // Errors from syscall are bare.
 			// Ignore EINVAL as not supported on kernels before 4.3