github/containerd
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity

The set of bounding capabilities is the largest group

Browse Source 
No capabilities can be granted outside the bounding set, so there
is no point looking at any other set for the largest scope.

Signed-off-by: Justin Cormack <justin.cormack@docker.com>
This commit is contained in:
Justin Cormack
2018-03-28 15:31:26 -07:00
parent 79963209f6
commit 9435aeeb30
1 changed files with 3 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
contrib/seccomp/seccomp_default.go
View File

@@ -444,25 +444,8 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp {
})
}
// make a map of enabled capabilities
caps := make(map[string]bool)
admin := false
for _, c := range sp.Process.Capabilities.Bounding {
caps[c] = true
}
for _, c := range sp.Process.Capabilities.Effective {
caps[c] = true
}
for _, c := range sp.Process.Capabilities.Inheritable {
caps[c] = true
}
for _, c := range sp.Process.Capabilities.Permitted {
caps[c] = true
}
for _, c := range sp.Process.Capabilities.Ambient {
caps[c] = true
}
for c := range caps {
switch c {
case "CAP_DAC_READ_SEARCH":
s.Syscalls = append(s.Syscalls, specs.LinuxSyscall{
@@ -471,6 +454,7 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp {
Args: []specs.LinuxSeccompArg{},
})
case "CAP_SYS_ADMIN":
admin = true
s.Syscalls = append(s.Syscalls, specs.LinuxSyscall{
Names: []string{
"bpf",
@@ -558,7 +542,7 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp {
}
}
if !caps["CAP_SYS_ADMIN"] {
if !admin {
switch runtime.GOARCH {
case "s390", "s390x":
s.Syscalls = append(s.Syscalls, specs.LinuxSyscall{