search

google / gvisor

Application Kernel for Containers
https://gvisor.dev
Apache License 2.0
15.31k stars 1.27k forks source link

Support prctls PR_CAP_AMBIENT + PR_SET_SECUREBITS #6089

Open bnoordhuis opened 3 years ago

bnoordhuis commented 3 years ago

Description

We have code to drop ambient capabilities that looks like this:

prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_CLEAR_ALL, 0, 0, 0);
prctl(PR_SET_SECUREBITS, SECBIT_KEEP_CAPS_LOCKED | SECBIT_NOROOT /* | etc */);

Works great everywhere except under gVisor, where the prctls fail with EINVAL.

Environment

Whatever version of gVisor GCP's Cloud Run uses. A quick skim of the master branch suggests they're not supported there, either.

ianlewis commented 3 years ago

gVisor currently doesn't support ambient capabilities so we'd likely need to support them before supporting PR_CAP_AMBIENT https://github.com/google/gvisor/issues/3166

github-actions[bot] commented 9 months ago

A friendly reminder that this issue had no activity for 120 days.

github-actions[bot] commented 6 months ago

This issue has been closed due to lack of activity.

github-actions[bot] commented 1 month ago

A friendly reminder that this issue had no activity for 120 days.