Always use ambient capabilities if no new privileges set, not otherwise

Makefile

@@ -43,7 +43,7 @@ static: $(SOURCES) | $(RUNC_LINK)
 	CGO_ENABLED=1 go build -i -tags "$(BUILDTAGS) cgo static_build" -ldflags "-w -extldflags -static -X main.gitCommit=${COMMIT} -X main.version=${VERSION}" -o contrib/cmd/recvtty/recvtty ./contrib/cmd/recvtty
 
 release: $(RUNC_LINK) | $(RUNC_LINK)
-	@flag_list=(seccomp selinux apparmor static ambient); \
+	@flag_list=(seccomp selinux apparmor static); \
 	unset expression; \
 	for flag in "$${flag_list[@]}"; do \
 		expression+="' '{'',$${flag}}"; \

README.md

@@ -56,7 +56,6 @@ make BUILDTAGS='seccomp apparmor'
 | seccomp   | Syscall filtering                  | libseccomp  |
 | selinux   | selinux process and mount labeling | <none>      |
 | apparmor  | apparmor profile support           | libapparmor |
-| ambient   | ambient capability support         | kernel 4.3  |
 
 
 ### Running the test suite

libcontainer/capabilities_linux.go

@@ -60,7 +60,13 @@ func (w *whitelist) dropBoundingSet() error {
 }
 
 // drop drops all capabilities for the current process except those specified in the whitelist.
-func (w *whitelist) drop() error {
+// in the case where NoNewPrivileges is set, so sudo and fs capabilities cannot be used, we can
+// use ambient capabilities so that non root users will gain capabilities
+func (w *whitelist) drop(nnp bool) error {
+	allCapabilityTypes := capability.CAPS | capability.BOUNDS
+	if nnp {
+		allCapabilityTypes |= capability.AMBS
+	}
 	w.pid.Clear(allCapabilityTypes)
 	w.pid.Set(allCapabilityTypes, w.keep...)
 	return w.pid.Apply(allCapabilityTypes)

libcontainer/init_linux.go

@@ -141,7 +141,7 @@ func finalizeNamespace(config *initConfig) error {
 		return err
 	}
 	// drop all other capabilities
-	if err := w.drop(); err != nil {
+	if err := w.drop(config.NoNewPrivileges); err != nil {
 		return err
 	}
 	if config.Cwd != "" {