use pr_CAP_AMBIENT_CLEAR_ALL to reduce pr_CAP_AMBIENT_LOWER syscall

Signed-off-by: lfbzhm <lifubang@acmcoder.com>
moby · Sep 27, 2024 · 5f8565f · 5f8565f
1 parent 46235e8
commit 5f8565f
Showing 1 changed file with 12 additions and 10 deletions.
diff --git a/capability/capability_linux.go b/capability/capability_linux.go
@@ -364,19 +364,21 @@ func (c *capsV3) Apply(kind CapType) (err error) {
 	}
 
 	if kind&AMBS == AMBS {
+		err = prctl(pr_CAP_AMBIENT, pr_CAP_AMBIENT_CLEAR_ALL, 0, 0, 0)
+		if err != nil {
+			return
+		}
 		for i := Cap(0); i <= last; i++ {
-			action := pr_CAP_AMBIENT_LOWER
 			if c.Get(AMBIENT, i) {
-				action = pr_CAP_AMBIENT_RAISE
-			}
-			err = prctl(pr_CAP_AMBIENT, action, uintptr(i), 0, 0)
-			if err != nil {
-				// Ignore EINVAL as not supported on kernels before 4.3
-				if err == syscall.EINVAL { //nolint:errorlint // Errors from syscall are bare.
-					err = nil
-					continue
+				err = prctl(pr_CAP_AMBIENT, pr_CAP_AMBIENT_RAISE, uintptr(i), 0, 0)
+				if err != nil {
+					// Ignore EINVAL as not supported on kernels before 4.3
+					if err == syscall.EINVAL { //nolint:errorlint // Errors from syscall are bare.
+						err = nil
+						continue
+					}
+					return
 				}
-				return
 			}
 		}
 	}