11a9bb6ce7
Currently, the `exec` driver is only setting the Bounding set, which is not sufficient to actually enable the requisite capabilities for the task process. In order for the capabilities to survive `execve` performed by libcontainer, the `Permitted`, `Inheritable`, and `Ambient` sets must also be set. Per CAPABILITIES (7): > Ambient: This is a set of capabilities that are preserved across an > execve(2) of a program that is not privileged. The ambient capability > set obeys the invariant that no capability can ever be ambient if it > is not both permitted and inheritable.
4 lines
110 B
Plaintext
4 lines
110 B
Plaintext
```release-note:bug
|
|
driver/exec: Fixed a bug where `cap_drop` and `cap_add` would not expand capabilities
|
|
```
|