opensourcemirror
/
concourse
mirror of https://github.com/concourse/concourse.git
1
0
Fork 0
Code Issues Releases Wiki Activity
concourse/worker/backend/spec/capabilities.go

86 lines
1.6 KiB
Go
Raw Blame History

package spec
import "github.com/opencontainers/runtime-spec/specs-go"
func OciCapabilities(privileged bool) specs.LinuxCapabilities {
if !privileged {
return UnprivilegedContainerCapabilities
}
return PrivilegedContainerCapabilities
}
var (
PrivilegedContainerCapabilities = specs.LinuxCapabilities{
Effective: privilegedCaps,
Bounding: privilegedCaps,
Inheritable: privilegedCaps,
Permitted: privilegedCaps,
}
UnprivilegedContainerCapabilities = specs.LinuxCapabilities{
Effective: unprivilegedCaps,
Bounding: unprivilegedCaps,
Inheritable: unprivilegedCaps,
Permitted: unprivilegedCaps,
}
unprivilegedCaps = []string{
"CAP_AUDIT_WRITE",
"CAP_CHOWN",
"CAP_DAC_OVERRIDE",
"CAP_FOWNER",
"CAP_FSETID",
"CAP_KILL",
"CAP_MKNOD",
"CAP_NET_BIND_SERVICE",
"CAP_NET_RAW",
"CAP_SETFCAP",
"CAP_SETGID",
"CAP_SETPCAP",
"CAP_SETUID",
"CAP_SYS_CHROOT",
}
privilegedCaps = []string{
"CAP_AUDIT_CONTROL",
"CAP_AUDIT_READ",
"CAP_AUDIT_WRITE",
"CAP_BLOCK_SUSPEND",
"CAP_CHOWN",
"CAP_DAC_OVERRIDE",
"CAP_DAC_READ_SEARCH",
"CAP_FOWNER",
"CAP_FSETID",
"CAP_IPC_LOCK",
"CAP_IPC_OWNER",
"CAP_KILL",
"CAP_LEASE",
"CAP_LINUX_IMMUTABLE",
"CAP_MAC_ADMIN",
"CAP_MAC_OVERRIDE",
"CAP_MKNOD",
"CAP_NET_ADMIN",
"CAP_NET_BIND_SERVICE",
"CAP_NET_BROADCAST",
"CAP_NET_RAW",
"CAP_SETFCAP",
"CAP_SETGID",
"CAP_SETPCAP",
"CAP_SETUID",
"CAP_SYSLOG",
"CAP_SYS_ADMIN",
"CAP_SYS_BOOT",
"CAP_SYS_CHROOT",
"CAP_SYS_MODULE",
"CAP_SYS_NICE",
"CAP_SYS_PACCT",
"CAP_SYS_PTRACE",
"CAP_SYS_RAWIO",
"CAP_SYS_RESOURCE",
"CAP_SYS_TIME",
"CAP_SYS_TTY_CONFIG",
"CAP_WAKE_ALARM",
}
)
Reference in New Issue View Git Blame Copy Permalink