kotovalexarian-likes-github/moby--moby
1
0
Fork 0
mirror of https://github.com/moby/moby.git synced 2022-11-09 12:21:53 -05:00
Code Releases Activity

native driver: Add required capabilities

Browse source 
We need SETFCAP to be able to mark files as having caps, which is
heavily used by fedora.
See https://github.com/dotcloud/docker/issues/5928

We also need SETPCAP, for instance systemd needs this to set caps
on its childen.

Both of these are safe in the sense that they can never ever
result in a process with a capability not in the bounding set of the
container.

We also add NET_BIND_SERVICE caps, to be able to bind to ports lower
than 1024.

Docker-DCO-1.1-Signed-off-by: Alexander Larsson <alexl@redhat.com> (github: alexlarsson)
This commit is contained in:
Alexander Larsson 2014-05-20 09:58:30 +02:00
parent bfe72c6189
commit fcf2e9a910
1 changed files with 3 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
daemon/execdriver/native/template/default_template.go
View file

@ -17,6 +17,9 @@ func New() *libcontainer.Container {
"NET_RAW", "NET_RAW",
"SETGID", "SETGID",
"SETUID", "SETUID",
"SETFCAP",
"SETPCAP",
"NET_BIND_SERVICE",
}, },
Namespaces: map[string]bool{ Namespaces: map[string]bool{
"NEWNS": true, "NEWNS": true,