github/containerd
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity

Merge pull request #2241 from justincormack/ambient_seccomp

Browse Source 
The set of bounding capabilities is the largest group
This commit is contained in:
Michael Crosby 2018-03-29 13:44:30 -04:00 committed by GitHub
commit cbfc9223a9
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 3 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
contrib/seccomp/seccomp_default.go
View File

@ -444,25 +444,8 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp {
})
}
// make a map of enabled capabilities
caps := make(map[string]bool)
admin := false
for _, c := range sp.Process.Capabilities.Bounding {
caps[c] = true
}
for _, c := range sp.Process.Capabilities.Effective {
caps[c] = true
}
for _, c := range sp.Process.Capabilities.Inheritable {
caps[c] = true
}
for _, c := range sp.Process.Capabilities.Permitted {
caps[c] = true
}
for _, c := range sp.Process.Capabilities.Ambient {
caps[c] = true
}
for c := range caps {
switch c {
case "CAP_DAC_READ_SEARCH":
s.Syscalls = append(s.Syscalls, specs.LinuxSyscall{
@ -471,6 +454,7 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp {
Args: []specs.LinuxSeccompArg{},
})
case "CAP_SYS_ADMIN":
admin = true
s.Syscalls = append(s.Syscalls, specs.LinuxSyscall{
Names: []string{
"bpf",
@ -558,7 +542,7 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp {
}
}
if !caps["CAP_SYS_ADMIN"] {
if !admin {
switch runtime.GOARCH {
case "s390", "s390x":
s.Syscalls = append(s.Syscalls, specs.LinuxSyscall{