Hi,
I am the author of the change. Some details are not visible since it is an internal issue, I will try to cover as much as i can here.
Initially, we found out that runsc grants processes certain abilities and permissions outside of the user that they run as, the capabilities permit for unprivileged users to have abilities to change file owners, bypass file system permissions, and switch users entirely. These privileges could pass onto file system mounts, so files outside of the container located within the mount may have owners and permissions modified as well, potentially causing a denial of service for other containers sharing the mounted files.
Some speculations around that time lead to mishandling of Linux capabilities.
In order to avoid giving processes more capabilities than intended, we implement this temporary solution, where runsc reads file capabilities of the target process binary and calculate its effective and permitted sets. I am also working on the file capabilities support in gVisor, that will be consistent with the behavior you are seeing once merged.
Let me know if you have any question.
Thanks
Jing