github/containerd
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity

Merge pull request #2241 from justincormack/ambient_seccomp

Browse Source 
The set of bounding capabilities is the largest group
This commit is contained in:
Michael Crosby
2018-03-29 13:44:30 -04:00
committed by GitHub
parent def3069a67 9435aeeb30
commit cbfc9223a9
1 changed files with 3 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
contrib/seccomp/seccomp_default.go
View File

@@ -444,25 +444,8 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp {
}) })
} }
// make a map of enabled capabilities admin := false
caps := make(map[string]bool)
for _, c := range sp.Process.Capabilities.Bounding { for _, c := range sp.Process.Capabilities.Bounding {
caps[c] = true
}
for _, c := range sp.Process.Capabilities.Effective {
caps[c] = true
}
for _, c := range sp.Process.Capabilities.Inheritable {
caps[c] = true
}
for _, c := range sp.Process.Capabilities.Permitted {
caps[c] = true
}
for _, c := range sp.Process.Capabilities.Ambient {
caps[c] = true
}
for c := range caps {
switch c { switch c {
case "CAP_DAC_READ_SEARCH": case "CAP_DAC_READ_SEARCH":
s.Syscalls = append(s.Syscalls, specs.LinuxSyscall{ s.Syscalls = append(s.Syscalls, specs.LinuxSyscall{
@@ -471,6 +454,7 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp {
Args: []specs.LinuxSeccompArg{}, Args: []specs.LinuxSeccompArg{},
}) })
case "CAP_SYS_ADMIN": case "CAP_SYS_ADMIN":
admin = true
s.Syscalls = append(s.Syscalls, specs.LinuxSyscall{ s.Syscalls = append(s.Syscalls, specs.LinuxSyscall{
Names: []string{ Names: []string{
"bpf", "bpf",
@@ -558,7 +542,7 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp {
} }
} }
if !caps["CAP_SYS_ADMIN"] { if !admin {
switch runtime.GOARCH { switch runtime.GOARCH {
case "s390", "s390x": case "s390", "s390x":
s.Syscalls = append(s.Syscalls, specs.LinuxSyscall{ s.Syscalls = append(s.Syscalls, specs.LinuxSyscall{