capabilities: be more graceful in resetting ambient

evanphx · evanphx · commit 64890be99b13 · 2025-01-19T19:45:59.000-08:00
Similar to when SetAmbient() can fail, runc should be graceful about
ResetAmbient failing.

This functionality previously worked under gvisor, which doesn't
implement ambient capabilities atm. The hard error on reset broke gvisor
usage.
diff --git a/libcontainer/capabilities/capabilities.go b/libcontainer/capabilities/capabilities.go
@@ -130,7 +130,7 @@ func (c *Caps) ApplyCaps() error {
 	ambs := c.caps[capability.AMBIENT]
 	err := capability.ResetAmbient()
 	if err != nil {
-		return fmt.Errorf("can't reset ambient capabilities: %w", err)
+		logrus.Warnf("can't reset ambient capabilities %w", err)
 	}
 	for _, a := range ambs {
 		err := capability.SetAmbient(true, a)

Original file line number	Diff line number	Diff line change
`@@ -130,7 +130,7 @@ func (c *Caps) ApplyCaps() error {`
`130`	`130`	`ambs := c.caps[capability.AMBIENT]`
`131`	`131`	`err := capability.ResetAmbient()`
`132`	`132`	`if err != nil {`
`133`		`- return fmt.Errorf("can't reset ambient capabilities: %w", err)`
	`133`	`+ logrus.Warnf("can't reset ambient capabilities %w", err)`
`134`	`134`	`}`
`135`	`135`	`for _, a := range ambs {`
`136`	`136`	`err := capability.SetAmbient(true, a)`