Skip to content

Commit

Permalink
capability: we should only raise ambient cap for our own process
Browse files Browse the repository at this point in the history 
Signed-off-by: lifubang <lifubang@acmcoder.com>
  • Loading branch information
@lifubang
lifubang committed Oct 9, 2024
1 parent fc58436 commit 3ce9f85
Showing 1 changed file with 3 additions and 0 deletions.
3 changes: 3 additions & 0 deletions capability/capability_linux.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -367,6 +367,9 @@ func (c *capsV3) Apply(kind CapType) error {
}

if kind&AMBS == AMBS {
if c.hdr.pid != 0 {
return errors.New("not support to raise ambient cap for other process")
}
// Ignore EINVAL as not supported on kernels before 4.3
err = ignoreEINVAL(ambientClearAll())
if err != nil {
Expand Down

0 comments on commit 3ce9f85

Please sign in to comment.