Grant no initial capabilities to non-root UIDs.

See modified comment in auth.NewUserCredentials(); compare to the
behavior of setresuid(2) as implemented by
//pkg/sentry/kernel/task_identity.go:kernel.Task.setKUIDsUncheckedLocked().

PiperOrigin-RevId: 228381765
Change-Id: I45238777c8f63fcf41b99fce3969caaf682fe408

1 files changed, 12 insertions, 7 deletions

diff --git a/pkg/sentry/kernel/auth/credentials.go b/pkg/sentry/kernel/auth/credentials.go
index de33f1953..a843b9aab 100644
--- a/pkg/sentry/kernel/auth/credentials.go
+++ b/pkg/sentry/kernel/auth/credentials.go
@@ -119,19 +119,24 @@ func NewUserCredentials(kuid KUID, kgid KGID, extraKGIDs []KGID, capabilities *T
 	// Set additional GIDs.
 	creds.ExtraKGIDs = append(creds.ExtraKGIDs, extraKGIDs...)
 
-	// Set capabilities. If capabilities aren't specified, we default to
-	// all capabilities.
+	// Set capabilities.
 	if capabilities != nil {
 		creds.PermittedCaps = capabilities.PermittedCaps
 		creds.EffectiveCaps = capabilities.EffectiveCaps
 		creds.BoundingCaps = capabilities.BoundingCaps
 		creds.InheritableCaps = capabilities.InheritableCaps
-		// // TODO: Support ambient capabilities.
+		// TODO: Support ambient capabilities.
 	} else {
-		// If no capabilities are specified, grant the same capabilities
-		// that NewRootCredentials does.
-		creds.PermittedCaps = AllCapabilities
-		creds.EffectiveCaps = AllCapabilities
+		// If no capabilities are specified, grant capabilities consistent with
+		// setresuid + setresgid from NewRootCredentials to the given uid and
+		// gid.
+		if kuid == RootKUID {
+			creds.PermittedCaps = AllCapabilities
+			creds.EffectiveCaps = AllCapabilities
+		} else {
+			creds.PermittedCaps = 0
+			creds.EffectiveCaps = 0
+		}
 		creds.BoundingCaps = AllCapabilities
 	}