From 700959be5cbc427f542482ec867b30f70ca8cf48 Mon Sep 17 00:00:00 2001 From: Peter Hunt~ Date: Mon, 19 Sep 2022 13:30:00 -0400 Subject: [PATCH 1/3] config: add field AddInheritableCapabilities Signed-off-by: Peter Hunt~ --- completions/bash/crio | 1 + completions/fish/crio.fish | 5 +++-- completions/zsh/_crio | 1 + docs/crio.8.md | 7 +++++-- docs/crio.conf.5.md | 4 ++++ internal/criocli/criocli.go | 9 +++++++++ pkg/config/config.go | 4 ++++ pkg/config/template.go | 11 +++++++++++ 8 files changed, 38 insertions(+), 4 deletions(-) diff --git a/completions/bash/crio b/completions/bash/crio index ce387c5026d..0d06cdc52f4 100755 --- a/completions/bash/crio +++ b/completions/bash/crio @@ -13,6 +13,7 @@ wipe help h --absent-mount-sources-to-reject +--add-inheritable-capabilities --additional-devices --address --allowed-devices diff --git a/completions/fish/crio.fish b/completions/fish/crio.fish index 1dadaa06dd1..19ea076ac4e 100644 --- a/completions/fish/crio.fish +++ b/completions/fish/crio.fish @@ -10,6 +10,7 @@ function __fish_crio_no_subcommand --description 'Test if there has been any sub end complete -c crio -n '__fish_crio_no_subcommand' -f -l absent-mount-sources-to-reject -r -d 'A list of paths that, when absent from the host, will cause a container creation to fail (as opposed to the current behavior of creating a directory).' +complete -c crio -n '__fish_crio_no_subcommand' -f -l add-inheritable-capabilities -d 'Add capabilities to the inheritable set, as well as the default group of permitted, bounding and effective.' complete -c crio -n '__fish_crio_no_subcommand' -f -l additional-devices -r -d 'Devices to add to the containers ' complete -c crio -n '__fish_crio_no_subcommand' -f -l allowed-devices -r -d 'Devices a user is allowed to specify with the "io.kubernetes.cri-o.Devices" allowed annotation' complete -c crio -n '__fish_crio_no_subcommand' -f -l apparmor-profile -r -d 'Name of the apparmor profile to be used as the runtime\'s default. This only takes effect if the user does not specify a profile via the Kubernetes Pod\'s metadata annotation.' @@ -128,11 +129,11 @@ complete -c crio -n '__fish_crio_no_subcommand' -l runroot -r -d 'The CRI-O stat complete -c crio -n '__fish_crio_no_subcommand' -f -l runtimes -r -d 'OCI runtimes, format is runtime_name:runtime_path:runtime_root:runtime_type:privileged_without_host_devices:runtime_config_path' complete -c crio -n '__fish_crio_no_subcommand' -l seccomp-profile -r -d 'Path to the seccomp.json profile to be used as the runtime\'s default. If not specified, then the internal default seccomp profile will be used. (default: "")' complete -c crio -n '__fish_crio_no_subcommand' -f -l seccomp-use-default-when-empty -d 'Use the default seccomp profile when an empty one is specified' -complete -c crio -n '__fish_crio_no_subcommand' -f -l selinux -d 'Enable selinux support (default: false)' +complete -c crio -n '__fish_crio_no_subcommand' -f -l selinux -d 'Enable selinux support (default: true)' complete -c crio -n '__fish_crio_no_subcommand' -f -l separate-pull-cgroup -r -d '[EXPERIMENTAL] Pull in new cgroup (default: "")' complete -c crio -n '__fish_crio_no_subcommand' -l signature-policy -r -d 'Path to signature policy JSON file. (default: "", to use the system-wide default)' complete -c crio -n '__fish_crio_no_subcommand' -f -l stats-collection-period -r -d 'The number of seconds between collecting pod and container stats. If set to 0, the stats are collected on-demand instead.' -complete -c crio -n '__fish_crio_no_subcommand' -f -l storage-driver -s s -r -d 'OCI storage driver (default: "")' +complete -c crio -n '__fish_crio_no_subcommand' -f -l storage-driver -s s -r -d 'OCI storage driver (default: "overlay")' complete -c crio -n '__fish_crio_no_subcommand' -f -l storage-opt -r -d 'OCI storage driver option' complete -c crio -n '__fish_crio_no_subcommand' -f -l stream-address -r -d 'Bind address for streaming socket' complete -c crio -n '__fish_crio_no_subcommand' -f -l stream-enable-tls -d 'Enable encrypted TLS transport of the stream server (default: false)' diff --git a/completions/zsh/_crio b/completions/zsh/_crio index 1d18ea7ede1..44b32f22bd8 100644 --- a/completions/zsh/_crio +++ b/completions/zsh/_crio @@ -20,6 +20,7 @@ it later with **--config**. Global options will modify the output.' local -a opts opts=( '--absent-mount-sources-to-reject' + '--add-inheritable-capabilities' '--additional-devices' '--address' '--allowed-devices' diff --git a/docs/crio.8.md b/docs/crio.8.md index e0e55337507..49f0017236f 100644 --- a/docs/crio.8.md +++ b/docs/crio.8.md @@ -12,6 +12,7 @@ crio ``` [--absent-mount-sources-to-reject]=[value] +[--add-inheritable-capabilities] [--additional-devices]=[value] [--allowed-devices]=[value] [--apparmor-profile]=[value] @@ -137,6 +138,8 @@ crio [GLOBAL OPTIONS] command [COMMAND OPTIONS] [ARGUMENTS...] **--absent-mount-sources-to-reject**="": A list of paths that, when absent from the host, will cause a container creation to fail (as opposed to the current behavior of creating a directory). (default: []) +**--add-inheritable-capabilities**: Add capabilities to the inheritable set, as well as the default group of permitted, bounding and effective. + **--additional-devices**="": Devices to add to the containers (default: []) **--allowed-devices**="": Devices a user is allowed to specify with the "io.kubernetes.cri-o.Devices" allowed annotation (default: [/dev/fuse]) @@ -334,7 +337,7 @@ crio [GLOBAL OPTIONS] command [COMMAND OPTIONS] [ARGUMENTS...] **--seccomp-use-default-when-empty**: Use the default seccomp profile when an empty one is specified -**--selinux**: Enable selinux support (default: false) +**--selinux**: Enable selinux support (default: true) **--separate-pull-cgroup**="": [EXPERIMENTAL] Pull in new cgroup (default: "") @@ -342,7 +345,7 @@ crio [GLOBAL OPTIONS] command [COMMAND OPTIONS] [ARGUMENTS...] **--stats-collection-period**="": The number of seconds between collecting pod and container stats. If set to 0, the stats are collected on-demand instead. (default: 0) -**--storage-driver, -s**="": OCI storage driver (default: "") +**--storage-driver, -s**="": OCI storage driver (default: "overlay") **--storage-opt**="": OCI storage driver option (default: []) diff --git a/docs/crio.conf.5.md b/docs/crio.conf.5.md index dc4352b1902..5db1fed7680 100644 --- a/docs/crio.conf.5.md +++ b/docs/crio.conf.5.md @@ -183,6 +183,10 @@ the container runtime configuration. ] ``` +**add_inheritable_capabilities**=false + Add capabilities to the inheritable set, as well as the default group of permitted, bounding and effective. + If capabilities are expected to work for non-root users, this option should be set. + **default_sysctls**=[] List of default sysctls. If it is empty or commented out, only the sysctls defined in the container json file by the user/kube will be added. diff --git a/internal/criocli/criocli.go b/internal/criocli/criocli.go index 4189e43082e..b3756be93c0 100644 --- a/internal/criocli/criocli.go +++ b/internal/criocli/criocli.go @@ -201,6 +201,9 @@ func mergeConfig(config *libconfig.Config, ctx *cli.Context) error { if ctx.IsSet("default-capabilities") { config.DefaultCapabilities = StringSliceTrySplit(ctx, "default-capabilities") } + if ctx.IsSet("add-inheritable-capabilities") { + config.AddInheritableCapabilities = ctx.Bool("add-inheritable-capabilities") + } if ctx.IsSet("default-sysctls") { config.DefaultSysctls = StringSliceTrySplit(ctx, "default-sysctls") } @@ -709,6 +712,12 @@ func getCrioFlags(defConf *libconfig.Config) []cli.Flag { EnvVars: []string{"CONTAINER_DEFAULT_CAPABILITIES"}, Value: cli.NewStringSlice(defConf.DefaultCapabilities...), }, + &cli.BoolFlag{ + Name: "add-inheritable-capabilities", + Usage: "Add capabilities to the inheritable set, as well as the default group of permitted, bounding and effective.", + EnvVars: []string{"CONTAINER_ADD_INHERITABLE_CAPABILITIES"}, + Value: defConf.AddInheritableCapabilities, + }, &cli.StringSliceFlag{ Name: "default-sysctls", Usage: "Sysctls to add to the containers", diff --git a/pkg/config/config.go b/pkg/config/config.go index 01d00d7ab6a..983f9f7e264 100644 --- a/pkg/config/config.go +++ b/pkg/config/config.go @@ -253,6 +253,10 @@ type RuntimeConfig struct { // Capabilities to add to all containers. DefaultCapabilities capabilities.Capabilities `toml:"default_capabilities"` + // AddInheritableCapabilities can be set to add inheritable capabilities. They were pre-1.23 by default, and were dropped in 1.24. + // This can cause a regression with non-root users not getting capabilities as they previously did. + AddInheritableCapabilities bool `toml:"add_inheritable_capabilities"` + // Additional environment variables to set for all the // containers. These are overridden if set in the // container image spec or in the container runtime configuration. diff --git a/pkg/config/template.go b/pkg/config/template.go index 9c60408ee75..02ab434c0c1 100644 --- a/pkg/config/template.go +++ b/pkg/config/template.go @@ -282,6 +282,11 @@ func initCrioTemplateConfig(c *Config) ([]*templateConfigValue, error) { group: crioRuntimeConfig, isDefaultValue: stringSliceEqual(dc.DefaultCapabilities, c.DefaultCapabilities), }, + { + templateString: templateStringCrioRuntimeAddInheritableCapabilities, + group: crioRuntimeConfig, + isDefaultValue: simpleEqual(dc.AddInheritableCapabilities, c.AddInheritableCapabilities), + }, { templateString: templateStringCrioRuntimeDefaultSysctls, group: crioRuntimeConfig, @@ -867,6 +872,12 @@ const templateStringCrioRuntimeDefaultCapabilities = `# List of default capabili ` +const templateStringCrioRuntimeAddInheritableCapabilities = `# Add capabilities to the inheritable set, as well as the default group of permitted, bounding and effective. +# If capabilities are expected to work for non-root users, this option should be set. +{{ $.Comment }}add_inheritable_capabilities = {{ .AddInheritableCapabilities }} + +` + const templateStringCrioRuntimeDefaultSysctls = `# List of default sysctls. If it is empty or commented out, only the sysctls # defined in the container json file by the user/kube will be added. {{ $.Comment }}default_sysctls = [ From 171ddf482565ef89ab07ab4fb81948a8b0def38b Mon Sep 17 00:00:00 2001 From: Peter Hunt~ Date: Mon, 19 Sep 2022 13:30:37 -0400 Subject: [PATCH 2/3] use AddInheritableCapabilities Signed-off-by: Peter Hunt~ --- internal/factory/container/container.go | 24 ++++++++++++++++++-- internal/factory/container/container_test.go | 24 ++++++++++++++------ internal/factory/sandbox/infra.go | 2 +- server/container_create_linux.go | 2 +- test/ctr.bats | 12 ++++++++++ 5 files changed, 53 insertions(+), 11 deletions(-) diff --git a/internal/factory/container/container.go b/internal/factory/container/container.go index a53ed7335ce..e2ad24639b3 100644 --- a/internal/factory/container/container.go +++ b/internal/factory/container/container.go @@ -111,7 +111,7 @@ type Container interface { SpecAddNamespaces(*sandbox.Sandbox, *oci.Container, *config.Config) error // SpecSetupCapabilities sets up the container's capabilities - SpecSetupCapabilities(*types.Capability, capabilities.Capabilities) error + SpecSetupCapabilities(*types.Capability, capabilities.Capabilities, bool) error // PidNamespace returns the pid namespace created by SpecAddNamespaces. PidNamespace() nsmgr.Namespace @@ -574,7 +574,7 @@ func (c *container) WillRunSystemd() bool { return strings.Contains(entrypoint, "/sbin/init") || (filepath.Base(entrypoint) == "systemd") } -func (c *container) SpecSetupCapabilities(caps *types.Capability, defaultCaps capabilities.Capabilities) error { +func (c *container) SpecSetupCapabilities(caps *types.Capability, defaultCaps capabilities.Capabilities, addInheritableCapabilities bool) error { // Make sure to remove all ambient capabilities. Kubernetes is not yet ambient capabilities aware // and pods expect that switching to a non-root user results in the capabilities being // dropped. This should be revisited in the future. @@ -628,6 +628,11 @@ func (c *container) SpecSetupCapabilities(caps *types.Capability, defaultCaps ca if err := specgen.AddProcessCapabilityPermitted(c); err != nil { return err } + if addInheritableCapabilities { + if err := specgen.AddProcessCapabilityInheritable(c); err != nil { + return err + } + } } } if dropAll { @@ -644,6 +649,11 @@ func (c *container) SpecSetupCapabilities(caps *types.Capability, defaultCaps ca if err := specgen.DropProcessCapabilityPermitted(c); err != nil { return err } + if addInheritableCapabilities { + if err := specgen.DropProcessCapabilityInheritable(c); err != nil { + return err + } + } } } @@ -668,6 +678,11 @@ func (c *container) SpecSetupCapabilities(caps *types.Capability, defaultCaps ca if err := specgen.AddProcessCapabilityPermitted(capPrefixed); err != nil { return err } + if addInheritableCapabilities { + if err := specgen.AddProcessCapabilityInheritable(capPrefixed); err != nil { + return err + } + } } for _, cap := range caps.DropCapabilities { @@ -687,6 +702,11 @@ func (c *container) SpecSetupCapabilities(caps *types.Capability, defaultCaps ca if err := specgen.DropProcessCapabilityPermitted(capPrefixed); err != nil { return fmt.Errorf("failed to drop cap %s %v", capPrefixed, err) } + if addInheritableCapabilities { + if err := specgen.DropProcessCapabilityInheritable(capPrefixed); err != nil { + return err + } + } } return nil diff --git a/internal/factory/container/container_test.go b/internal/factory/container/container_test.go index b70cd97be6c..cdcca6ab4d4 100644 --- a/internal/factory/container/container_test.go +++ b/internal/factory/container/container_test.go @@ -533,7 +533,7 @@ var _ = t.Describe("Container", func() { var caps *types.Capability serverCaps := capabilities.Default() - Expect(sut.SpecSetupCapabilities(caps, serverCaps)).To(BeNil()) + Expect(sut.SpecSetupCapabilities(caps, serverCaps, false)).To(BeNil()) verifyCapValues(sut.Spec().Config.Process.Capabilities, len(serverCaps)) }) It("AddCapabilities should add capability", func() { @@ -543,7 +543,7 @@ var _ = t.Describe("Container", func() { } serverCaps := []string{} - Expect(sut.SpecSetupCapabilities(caps, serverCaps)).To(BeNil()) + Expect(sut.SpecSetupCapabilities(caps, serverCaps, false)).To(BeNil()) verifyCapValues(sut.Spec().Config.Process.Capabilities, len(serverCaps)+1) }) It("DropCapabilities should drop capability", func() { @@ -553,7 +553,7 @@ var _ = t.Describe("Container", func() { } serverCaps := []string{"CHOWN"} - Expect(sut.SpecSetupCapabilities(caps, serverCaps)).To(BeNil()) + Expect(sut.SpecSetupCapabilities(caps, serverCaps, false)).To(BeNil()) verifyCapValues(sut.Spec().Config.Process.Capabilities, len(serverCaps)-1) }) It("AddCapabilities ALL DropCapabilities one should drop that one", func() { @@ -563,7 +563,7 @@ var _ = t.Describe("Container", func() { } serverCaps := []string{} - Expect(sut.SpecSetupCapabilities(caps, serverCaps)).To(BeNil()) + Expect(sut.SpecSetupCapabilities(caps, serverCaps, false)).To(BeNil()) verifyCapValues(sut.Spec().Config.Process.Capabilities, len(capability.List())-1) }) It("AddCapabilities one DropCapabilities ALL should add that one", func() { @@ -573,7 +573,7 @@ var _ = t.Describe("Container", func() { } serverCaps := []string{} - Expect(sut.SpecSetupCapabilities(caps, serverCaps)).To(BeNil()) + Expect(sut.SpecSetupCapabilities(caps, serverCaps, false)).To(BeNil()) verifyCapValues(sut.Spec().Config.Process.Capabilities, 1) }) It("AddCapabilities ALL DropCapabilities ALL should drop all", func() { @@ -583,7 +583,7 @@ var _ = t.Describe("Container", func() { } serverCaps := []string{} - Expect(sut.SpecSetupCapabilities(caps, serverCaps)).To(BeNil()) + Expect(sut.SpecSetupCapabilities(caps, serverCaps, false)).To(BeNil()) verifyCapValues(sut.Spec().Config.Process.Capabilities, 0) }) It("Invalid values should fail", func() { @@ -592,7 +592,17 @@ var _ = t.Describe("Container", func() { } serverCaps := []string{} - Expect(sut.SpecSetupCapabilities(caps, serverCaps)).NotTo(BeNil()) + Expect(sut.SpecSetupCapabilities(caps, serverCaps, false)).NotTo(BeNil()) + }) + It("Should add inheritable capabilities if set", func() { + caps := &types.Capability{ + AddCapabilities: []string{"CHOWN"}, + DropCapabilities: []string{"ALL"}, + } + serverCaps := []string{} + + Expect(sut.SpecSetupCapabilities(caps, serverCaps, true)).To(BeNil()) + Expect(len(sut.Spec().Config.Process.Capabilities.Inheritable)).To(Equal(1)) }) }) }) diff --git a/internal/factory/sandbox/infra.go b/internal/factory/sandbox/infra.go index 1ca9fccf24d..818b47082de 100644 --- a/internal/factory/sandbox/infra.go +++ b/internal/factory/sandbox/infra.go @@ -50,7 +50,7 @@ func (s *sandbox) InitInfraContainer(serverConfig *libconfig.Config, podContaine } // Add capabilities from crio.conf if default_capabilities is defined - if err := s.infra.SpecSetupCapabilities(&types.Capability{}, serverConfig.DefaultCapabilities); err != nil { + if err := s.infra.SpecSetupCapabilities(&types.Capability{}, serverConfig.DefaultCapabilities, serverConfig.AddInheritableCapabilities); err != nil { return err } diff --git a/server/container_create_linux.go b/server/container_create_linux.go index e1e82dafc7a..709542d5685 100644 --- a/server/container_create_linux.go +++ b/server/container_create_linux.go @@ -434,7 +434,7 @@ func (s *Server) createSandboxContainer(ctx context.Context, ctr ctrfactory.Cont specgen.SetupPrivileged(true) } else { capabilities := securityContext.Capabilities - if err := ctr.SpecSetupCapabilities(capabilities, s.config.DefaultCapabilities); err != nil { + if err := ctr.SpecSetupCapabilities(capabilities, s.config.DefaultCapabilities, s.config.AddInheritableCapabilities); err != nil { return nil, err } } diff --git a/test/ctr.bats b/test/ctr.bats index ca897db5d6b..e7006517767 100644 --- a/test/ctr.bats +++ b/test/ctr.bats @@ -695,6 +695,18 @@ function check_oci_annotation() { [[ "$output" =~ 00000000002020db ]] } +@test "ctr with add_inheritable_capabilities has inheritable capabilities" { + CONTAINER_ADD_INHERITABLE_CAPABILITIES=true start_crio + pod_id=$(crictl runp "$TESTDATA"/sandbox_config.json) + + jq ' .linux.security_context.run_as_username = "redis"' \ + "$TESTDATA"/container_redis.json > "$newconfig" + ctr_id=$(crictl create "$pod_id" "$newconfig" "$TESTDATA"/sandbox_config.json) + crictl start "$ctr_id" + + crictl exec --sync "$ctr_id" grep "CapEff:\s0000000000000000" /proc/1/status +} + @test "ctr oom" { start_crio pod_id=$(crictl runp "$TESTDATA"/sandbox_config.json) From bab3681045641d36a54c56a81179b41f53fbfe93 Mon Sep 17 00:00:00 2001 From: Peter Hunt~ Date: Wed, 28 Sep 2022 12:15:37 -0400 Subject: [PATCH 3/3] set add_inheritable_capabilities to true by default Signed-off-by: Peter Hunt~ --- completions/fish/crio.fish | 4 ++-- docs/crio.8.md | 4 ++-- docs/crio.conf.5.md | 2 +- pkg/config/config.go | 1 + 4 files changed, 6 insertions(+), 5 deletions(-) diff --git a/completions/fish/crio.fish b/completions/fish/crio.fish index 19ea076ac4e..b7d2cc6a69b 100644 --- a/completions/fish/crio.fish +++ b/completions/fish/crio.fish @@ -129,11 +129,11 @@ complete -c crio -n '__fish_crio_no_subcommand' -l runroot -r -d 'The CRI-O stat complete -c crio -n '__fish_crio_no_subcommand' -f -l runtimes -r -d 'OCI runtimes, format is runtime_name:runtime_path:runtime_root:runtime_type:privileged_without_host_devices:runtime_config_path' complete -c crio -n '__fish_crio_no_subcommand' -l seccomp-profile -r -d 'Path to the seccomp.json profile to be used as the runtime\'s default. If not specified, then the internal default seccomp profile will be used. (default: "")' complete -c crio -n '__fish_crio_no_subcommand' -f -l seccomp-use-default-when-empty -d 'Use the default seccomp profile when an empty one is specified' -complete -c crio -n '__fish_crio_no_subcommand' -f -l selinux -d 'Enable selinux support (default: true)' +complete -c crio -n '__fish_crio_no_subcommand' -f -l selinux -d 'Enable selinux support (default: false)' complete -c crio -n '__fish_crio_no_subcommand' -f -l separate-pull-cgroup -r -d '[EXPERIMENTAL] Pull in new cgroup (default: "")' complete -c crio -n '__fish_crio_no_subcommand' -l signature-policy -r -d 'Path to signature policy JSON file. (default: "", to use the system-wide default)' complete -c crio -n '__fish_crio_no_subcommand' -f -l stats-collection-period -r -d 'The number of seconds between collecting pod and container stats. If set to 0, the stats are collected on-demand instead.' -complete -c crio -n '__fish_crio_no_subcommand' -f -l storage-driver -s s -r -d 'OCI storage driver (default: "overlay")' +complete -c crio -n '__fish_crio_no_subcommand' -f -l storage-driver -s s -r -d 'OCI storage driver (default: "")' complete -c crio -n '__fish_crio_no_subcommand' -f -l storage-opt -r -d 'OCI storage driver option' complete -c crio -n '__fish_crio_no_subcommand' -f -l stream-address -r -d 'Bind address for streaming socket' complete -c crio -n '__fish_crio_no_subcommand' -f -l stream-enable-tls -d 'Enable encrypted TLS transport of the stream server (default: false)' diff --git a/docs/crio.8.md b/docs/crio.8.md index 49f0017236f..7983168dc9d 100644 --- a/docs/crio.8.md +++ b/docs/crio.8.md @@ -337,7 +337,7 @@ crio [GLOBAL OPTIONS] command [COMMAND OPTIONS] [ARGUMENTS...] **--seccomp-use-default-when-empty**: Use the default seccomp profile when an empty one is specified -**--selinux**: Enable selinux support (default: true) +**--selinux**: Enable selinux support (default: false) **--separate-pull-cgroup**="": [EXPERIMENTAL] Pull in new cgroup (default: "") @@ -345,7 +345,7 @@ crio [GLOBAL OPTIONS] command [COMMAND OPTIONS] [ARGUMENTS...] **--stats-collection-period**="": The number of seconds between collecting pod and container stats. If set to 0, the stats are collected on-demand instead. (default: 0) -**--storage-driver, -s**="": OCI storage driver (default: "overlay") +**--storage-driver, -s**="": OCI storage driver (default: "") **--storage-opt**="": OCI storage driver option (default: []) diff --git a/docs/crio.conf.5.md b/docs/crio.conf.5.md index 5db1fed7680..fcedfba38dd 100644 --- a/docs/crio.conf.5.md +++ b/docs/crio.conf.5.md @@ -183,7 +183,7 @@ the container runtime configuration. ] ``` -**add_inheritable_capabilities**=false +**add_inheritable_capabilities**=true Add capabilities to the inheritable set, as well as the default group of permitted, bounding and effective. If capabilities are expected to work for non-root users, this option should be set. diff --git a/pkg/config/config.go b/pkg/config/config.go index 983f9f7e264..c8b3a5d3f62 100644 --- a/pkg/config/config.go +++ b/pkg/config/config.go @@ -798,6 +798,7 @@ func DefaultConfig() (*Config, error) { LogSizeMax: DefaultLogSizeMax, CtrStopTimeout: defaultCtrStopTimeout, DefaultCapabilities: capabilities.Default(), + AddInheritableCapabilities: true, LogLevel: "info", HooksDir: []string{hooks.DefaultDir}, CDISpecDirs: cdi.DefaultSpecDirs,