1
0
Fork 0
mirror of https://github.com/moby/moby.git synced 2022-11-09 12:21:53 -05:00
moby--moby/profiles
Justin Cormack 265f7a37bd Gate name_to_handle_at by CAP_SYS_ADMIN not CAP_DAC_READ_SEARCH
Only open_by_handle_at requires CAP_DAC_READ_SEARCH.

This allows systemd to run with only `--cap-add SYS_ADMIN`
rather than having to also add `--cap-add DAC_READ_SEARCH`
as well which it does not really need.

Signed-off-by: Justin Cormack <justin.cormack@docker.com>
(cherry picked from commit c1ca124682)
Signed-off-by: Tibor Vass <tibor@docker.com>
2016-08-11 17:56:50 -07:00
..
apparmor
seccomp Gate name_to_handle_at by CAP_SYS_ADMIN not CAP_DAC_READ_SEARCH 2016-08-11 17:56:50 -07:00