86 lines
1.6 KiB
Go
86 lines
1.6 KiB
Go
package spec
|
|
|
|
import "github.com/opencontainers/runtime-spec/specs-go"
|
|
|
|
func OciCapabilities(privileged bool) specs.LinuxCapabilities {
|
|
if !privileged {
|
|
return UnprivilegedContainerCapabilities
|
|
}
|
|
|
|
return PrivilegedContainerCapabilities
|
|
}
|
|
|
|
var (
|
|
PrivilegedContainerCapabilities = specs.LinuxCapabilities{
|
|
Effective: privilegedCaps,
|
|
Bounding: privilegedCaps,
|
|
Inheritable: privilegedCaps,
|
|
Permitted: privilegedCaps,
|
|
}
|
|
|
|
UnprivilegedContainerCapabilities = specs.LinuxCapabilities{
|
|
Effective: unprivilegedCaps,
|
|
Bounding: unprivilegedCaps,
|
|
Inheritable: unprivilegedCaps,
|
|
Permitted: unprivilegedCaps,
|
|
}
|
|
|
|
unprivilegedCaps = []string{
|
|
"CAP_AUDIT_WRITE",
|
|
"CAP_CHOWN",
|
|
"CAP_DAC_OVERRIDE",
|
|
"CAP_FOWNER",
|
|
"CAP_FSETID",
|
|
"CAP_KILL",
|
|
"CAP_MKNOD",
|
|
"CAP_NET_BIND_SERVICE",
|
|
"CAP_NET_RAW",
|
|
"CAP_SETFCAP",
|
|
"CAP_SETGID",
|
|
"CAP_SETPCAP",
|
|
"CAP_SETUID",
|
|
"CAP_SYS_CHROOT",
|
|
}
|
|
|
|
privilegedCaps = []string{
|
|
"CAP_AUDIT_CONTROL",
|
|
"CAP_AUDIT_READ",
|
|
"CAP_AUDIT_WRITE",
|
|
"CAP_BLOCK_SUSPEND",
|
|
"CAP_CHOWN",
|
|
"CAP_DAC_OVERRIDE",
|
|
"CAP_DAC_READ_SEARCH",
|
|
"CAP_FOWNER",
|
|
"CAP_FSETID",
|
|
"CAP_IPC_LOCK",
|
|
"CAP_IPC_OWNER",
|
|
"CAP_KILL",
|
|
"CAP_LEASE",
|
|
"CAP_LINUX_IMMUTABLE",
|
|
"CAP_MAC_ADMIN",
|
|
"CAP_MAC_OVERRIDE",
|
|
"CAP_MKNOD",
|
|
"CAP_NET_ADMIN",
|
|
"CAP_NET_BIND_SERVICE",
|
|
"CAP_NET_BROADCAST",
|
|
"CAP_NET_RAW",
|
|
"CAP_SETFCAP",
|
|
"CAP_SETGID",
|
|
"CAP_SETPCAP",
|
|
"CAP_SETUID",
|
|
"CAP_SYSLOG",
|
|
"CAP_SYS_ADMIN",
|
|
"CAP_SYS_BOOT",
|
|
"CAP_SYS_CHROOT",
|
|
"CAP_SYS_MODULE",
|
|
"CAP_SYS_NICE",
|
|
"CAP_SYS_PACCT",
|
|
"CAP_SYS_PTRACE",
|
|
"CAP_SYS_RAWIO",
|
|
"CAP_SYS_RESOURCE",
|
|
"CAP_SYS_TIME",
|
|
"CAP_SYS_TTY_CONFIG",
|
|
"CAP_WAKE_ALARM",
|
|
}
|
|
)
|