From 21cb5a8c7bcc90c42743ffd15cd11a55bf66993d Mon Sep 17 00:00:00 2001
From: Giuseppe Scrivano <gscrivan@redhat.com>
Date: Mon, 28 Feb 2022 11:06:50 +0100
Subject: [PATCH 2/2] exec: --cap do not set inheritable capabilities

Closes: CVE-2022-27650

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
(cherry picked from commit 1aeeed2e4fdeffb4875c0d0b439915894594c8c6)
---
 src/exec.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/exec.c b/src/exec.c
index bf6c05f..8c9862d 100644
--- a/src/exec.c
+++ b/src/exec.c
@@ -250,8 +250,8 @@ crun_command_exec (struct crun_global_arguments *global_args, int argc, char **a
           capabilities->effective = exec_options.cap;
           capabilities->effective_len = exec_options.cap_size;
 
-          capabilities->inheritable = dup_array (exec_options.cap, exec_options.cap_size);
-          capabilities->inheritable_len = exec_options.cap_size;
+          capabilities->inheritable = NULL;
+          capabilities->inheritable_len = 0;
 
           capabilities->bounding = dup_array (exec_options.cap, exec_options.cap_size);
           capabilities->bounding_len = exec_options.cap_size;
-- 
2.35.1