From afa4ec0db01b620be540e72e25fc86092e2fa303 Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano Date: Mon, 2 Nov 2020 14:45:54 +0100 Subject: specgen: keep capabilities with --userns=keep-id if --userns=keep-id is specified and not --user is specified, take the unprivileged capabilities code path so that ambient capabilities are honored in the container. Signed-off-by: Giuseppe Scrivano --- pkg/specgen/generate/security.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'pkg/specgen') diff --git a/pkg/specgen/generate/security.go b/pkg/specgen/generate/security.go index be6555195..dee140282 100644 --- a/pkg/specgen/generate/security.go +++ b/pkg/specgen/generate/security.go @@ -137,7 +137,7 @@ func securityConfigureGenerator(s *specgen.SpecGenerator, g *generate.Generator, user := strings.Split(s.User, ":")[0] - if user == "" || user == "root" || user == "0" { + if (user == "" && s.UserNS.NSMode != specgen.KeepID) || user == "root" || user == "0" { configSpec.Process.Capabilities.Effective = caplist configSpec.Process.Capabilities.Permitted = caplist } else { -- cgit v1.2.3-54-g00ecf