Merge pull request from GHSA-wr4f-w546-m398

do not set the inheritable capabilities

Author: giuseppe

src/exec.c

@@ -304,8 +304,8 @@ crun_command_exec (struct crun_global_arguments *global_args, int argc, char **a
           capabilities->effective = exec_options.cap;
           capabilities->effective_len = exec_options.cap_size;
 
-          capabilities->inheritable = dup_array (exec_options.cap, exec_options.cap_size);
-          capabilities->inheritable_len = exec_options.cap_size;
+          capabilities->inheritable = NULL;
+          capabilities->inheritable_len = 0;
 
           capabilities->bounding = dup_array (exec_options.cap, exec_options.cap_size);
           capabilities->bounding_len = exec_options.cap_size;

src/libcrun/container.c

@@ -120,9 +120,6 @@ static const char spec_file[] = "\
 				\"CAP_NET_BIND_SERVICE\"\n\
 			],\n\
 			\"inheritable\": [\n\
-				\"CAP_AUDIT_WRITE\",\n\
-				\"CAP_KILL\",\n\
-				\"CAP_NET_BIND_SERVICE\"\n\
 			],\n\
 			\"permitted\": [\n\
 				\"CAP_AUDIT_WRITE\",\n\