Add a test for CVE-2022-27651

Check that the inheritable capabilities are set to 0, even when we explicitly try to add capabilities. Signed-off-by: Nalin Dahyabhai <[email protected]>
containers · Mar 24, 2022 · 90b3254 · 90b3254
1 parent 5d252d4
commit 90b3254
Showing 1 changed file with 14 additions and 0 deletions.
diff --git a/tests/run.bats b/tests/run.bats
@@ -786,9 +786,23 @@ _EOF
 	if test "$DBUS_SESSION_BUS_ADDRESS" = ""; then
 		skip "${1:-test does not work when \$BUILDAH_ISOLATION = chroot}"
 	fi
+	_prefetch alpine
 
 	run_buildah from --quiet --pull=false --signature-policy ${TESTSDIR}/policy.json alpine
 	cid=$output
 	run_buildah run --cgroupns=host $cid cat /proc/self/cgroup
 	expect_output --substring "/user.slice/"
 }
+
+@test "run-inheritable-capabilities" {
+	skip_if_no_runtime
+
+	_prefetch alpine
+
+	run_buildah from --quiet --pull=false --signature-policy ${TESTSDIR}/policy.json alpine
+	cid=$output
+	run_buildah run $cid grep ^CapInh: /proc/self/status
+	expect_output "CapInh:	0000000000000000"
+	run_buildah run --cap-add=ALL $cid grep ^CapInh: /proc/self/status
+	expect_output "CapInh:	0000000000000000"
+}