From ed485db1465d67f0215c27529c57a76a1daf5135 Mon Sep 17 00:00:00 2001
From: Giuseppe Scrivano <gscrivan@redhat.com>
Date: Mon, 28 Feb 2022 11:05:18 +0100
Subject: [PATCH 1/2] spec: do not set inheritable capabilities

Closes: CVE-2022-27650

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
(cherry picked from commit b847d146d496c9d7beba166fd595488e85488562)
---
 src/libcrun/container.c | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/src/libcrun/container.c b/src/libcrun/container.c
index d3fb017..1e3f3e6 100644
--- a/src/libcrun/container.c
+++ b/src/libcrun/container.c
@@ -128,9 +128,6 @@ static char spec_file[] = "\
 				\"CAP_NET_BIND_SERVICE\"\n\
 			],\n\
 			\"inheritable\": [\n\
-				\"CAP_AUDIT_WRITE\",\n\
-				\"CAP_KILL\",\n\
-				\"CAP_NET_BIND_SERVICE\"\n\
 			],\n\
 			\"permitted\": [\n\
 				\"CAP_AUDIT_WRITE\",\n\
-- 
2.35.1