From 181bd4b912e717715d152aecb6ba517fed939f6f Mon Sep 17 00:00:00 2001
From: Kir Kolyshkin <kolyshkin@gmail.com>
Date: Tue, 7 Jan 2025 19:32:27 -0800
Subject: [PATCH] libct: straighten Caps inheritance

For all other properties that are available in both Config and Process,
the merging is performed by newInitConfig.

Let's do the same for Capabilities for the sake of code uniformity.

While at it, allow nil capabilities to be passed (this is covered by the
test case

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
---
 libcontainer/capabilities/capabilities.go | 3 +++
 libcontainer/container_linux.go           | 5 ++++-
 libcontainer/init_linux.go                | 8 +-------
 3 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/libcontainer/capabilities/capabilities.go b/libcontainer/capabilities/capabilities.go
index 4e63d97a201..6e44601ef1a 100644
--- a/libcontainer/capabilities/capabilities.go
+++ b/libcontainer/capabilities/capabilities.go
@@ -45,6 +45,9 @@ func KnownCapabilities() []string {
 // printing a warning instead.
 func New(capConfig *configs.Capabilities) (*Caps, error) {
 	var c Caps
+	if capConfig == nil {
+		return &c, nil
+	}
 
 	_, err := capMap()
 	if err != nil {
diff --git a/libcontainer/container_linux.go b/libcontainer/container_linux.go
index 12e219179d3..c9e74188e2b 100644
--- a/libcontainer/container_linux.go
+++ b/libcontainer/container_linux.go
@@ -691,7 +691,7 @@ func (c *Container) newInitConfig(process *Process) *initConfig {
 		User:             process.User,
 		AdditionalGroups: process.AdditionalGroups,
 		Cwd:              process.Cwd,
-		Capabilities:     process.Capabilities,
+		Capabilities:     c.config.Capabilities,
 		PassedFilesCount: len(process.ExtraFiles),
 		ContainerID:      c.ID(),
 		NoNewPrivileges:  c.config.NoNewPrivileges,
@@ -707,6 +707,9 @@ func (c *Container) newInitConfig(process *Process) *initConfig {
 
 	// Overwrite config properties with ones from process.
 
+	if process.Capabilities != nil {
+		cfg.Capabilities = process.Capabilities
+	}
 	if process.NoNewPrivileges != nil {
 		cfg.NoNewPrivileges = *process.NoNewPrivileges
 	}
diff --git a/libcontainer/init_linux.go b/libcontainer/init_linux.go
index bb9eca45ee8..613f6200f3a 100644
--- a/libcontainer/init_linux.go
+++ b/libcontainer/init_linux.go
@@ -351,13 +351,7 @@ func finalizeNamespace(config *initConfig) error {
 		}
 	}
 
-	caps := &configs.Capabilities{}
-	if config.Capabilities != nil {
-		caps = config.Capabilities
-	} else if config.Config.Capabilities != nil {
-		caps = config.Config.Capabilities
-	}
-	w, err := capabilities.New(caps)
+	w, err := capabilities.New(config.Capabilities)
 	if err != nil {
 		return err
 	}