capabilities: be more graceful in resetting ambient

Similar to when SetAmbient() can fail, runc should be graceful about ResetAmbient failing. This functionality previously worked under gvisor, which doesn't implement ambient capabilities atm. The hard error on reset broke gvisor usage. Signed-off-by: Evan Phoenix <[email protected]>
opencontainers · Jan 24, 2025 · 17087f7 · 17087f7
1 parent a7d7645
commit 17087f7
Showing 1 changed file with 8 additions and 2 deletions.
diff --git a/libcontainer/capabilities/capabilities.go b/libcontainer/capabilities/capabilities.go
@@ -3,10 +3,12 @@
 package capabilities
 
 import (
+	"errors"
 	"fmt"
 	"sort"
 	"strings"
 	"sync"
+	"syscall"
 
 	"github.com/moby/sys/capability"
 	"github.com/opencontainers/runc/libcontainer/configs"
@@ -129,9 +131,13 @@ func (c *Caps) ApplyCaps() error {
 	// don't return any errors, only warn.
 	ambs := c.caps[capability.AMBIENT]
 	err := capability.ResetAmbient()
-	if err != nil {
-		return fmt.Errorf("can't reset ambient capabilities: %w", err)
+
+	// EINVAL is returned when the kernel doesn't support ambient capabilities.
+	// We ignore this because runc supports running on older kernels.
+	if err != nil && !errors.Is(err, syscall.EINVAL) {
+		return err
 	}
+
 	for _, a := range ambs {
 		err := capability.SetAmbient(true, a)
 		if err != nil {