Change libcontainer to drop all capabilities by default. Only keeps
those that were specified in the config. This commit also explicitly adds a set of capabilities that we were silently not dropping and were assumed by the tests. Docker-DCO-1.1-Signed-off-by: Victor Marmol <vmarmol@google.com> (github: vmarmol)
This commit is contained in:
Victor Marmol
parent
1cc1c05a55
commit
3a423f3e4e
2 changed files with 25 additions and 18 deletions
|
|
@ -55,6 +55,11 @@ var (
|
|||
{Key: "MAC_ADMIN", Value: capability.CAP_MAC_ADMIN},
|
||||
{Key: "NET_ADMIN", Value: capability.CAP_NET_ADMIN},
|
||||
{Key: "SYSLOG", Value: capability.CAP_SYSLOG},
|
||||
{Key: "SETUID", Value: capability.CAP_SETUID},
|
||||
{Key: "SETGID", Value: capability.CAP_SETGID},
|
||||
{Key: "CHOWN", Value: capability.CAP_CHOWN},
|
||||
{Key: "NET_RAW", Value: capability.CAP_NET_RAW},
|
||||
{Key: "DAC_OVERRIDE", Value: capability.CAP_DAC_OVERRIDE},
|
||||
}
|
||||
)
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue