fix: allow CAP_CHOWN in Ambient set

pkoutsovasilis · pkoutsovasilis · commit b61c1db77714 · 2024-06-18T11:16:16.000+03:00
diff --git a/internal/pkg/agent/cmd/container_init_linux.go b/internal/pkg/agent/cmd/container_init_linux.go
@@ -120,7 +120,7 @@ func getAmbientCapabilitiesFromEffectiveSet() ([]cap.Value, error) {
 	for capVal := cap.Value(0); capVal < cap.MaxBits(); capVal++ {
 
 		switch capVal {
-		case cap.CHOWN, cap.SETPCAP, cap.SETFCAP:
+		case cap.SETPCAP, cap.SETFCAP:
 			// don't set these as they shouldn't be required by any exec'ed child process
 			continue
 		default:
diff --git a/internal/pkg/agent/cmd/container_init_test.go b/internal/pkg/agent/cmd/container_init_test.go
@@ -173,13 +173,13 @@ func Test_getAmbientCapabilitiesFromEffectiveSet(t *testing.T) {
 	}{
 		{
 			name:         "no ambient caps",
-			procCaps:     []cap.Value{cap.CHOWN, cap.SETPCAP, cap.SETFCAP},
+			procCaps:     []cap.Value{cap.SETPCAP, cap.SETFCAP},
 			expectedCaps: []cap.Value(nil),
 		},
 		{
 			name:         "no ambient caps",
 			procCaps:     []cap.Value{cap.CHOWN, cap.SETPCAP, cap.SETFCAP, cap.BPF},
-			expectedCaps: []cap.Value{cap.BPF},
+			expectedCaps: []cap.Value{cap.CHOWN, cap.BPF},
 		},
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -173,13 +173,13 @@ func Test_getAmbientCapabilitiesFromEffectiveSet(t *testing.T) {`
`173`	`173`	`}{`
`174`	`174`	`{`
`175`	`175`	`name: "no ambient caps",`
`176`		`- procCaps: []cap.Value{cap.CHOWN, cap.SETPCAP, cap.SETFCAP},`
	`176`	`+ procCaps: []cap.Value{cap.SETPCAP, cap.SETFCAP},`
`177`	`177`	`expectedCaps: []cap.Value(nil),`
`178`	`178`	`},`
`179`	`179`	`{`
`180`	`180`	`name: "no ambient caps",`
`181`	`181`	`procCaps: []cap.Value{cap.CHOWN, cap.SETPCAP, cap.SETFCAP, cap.BPF},`
`182`		`- expectedCaps: []cap.Value{cap.BPF},`
	`182`	`+ expectedCaps: []cap.Value{cap.CHOWN, cap.BPF},`
`183`	`183`	`},`
`184`	`184`	`}`
`185`	`185`