docker
/
docs
mirror of https://github.com/docker/docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Gate name_to_handle_at by CAP_SYS_ADMIN not CAP_DAC_READ_SEARCH 

Only open_by_handle_at requires CAP_DAC_READ_SEARCH.

This allows systemd to run with only `--cap-add SYS_ADMIN`
rather than having to also add `--cap-add DAC_READ_SEARCH`
as well which it does not really need.

Signed-off-by: Justin Cormack <justin.cormack@docker.com>
(cherry picked from commit c1ca124682a90f3306b34ad104ba80e413f7bf88)
Signed-off-by: Tibor Vass <tibor@docker.com>
This commit is contained in:
Justin Cormack 2016-08-10 12:22:36 +01:00 committed by Tibor Vass
parent 769c25c416
commit 265f7a37bd
1 changed files with 5 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
profiles/seccomp/seccomp_default.go
View File

@ -1667,11 +1667,6 @@ func DefaultProfile(rs *specs.Spec) *types.Seccomp {
switch cap {
case "CAP_DAC_READ_SEARCH":
syscalls = append(syscalls, []*types.Syscall{
{
Name: "name_to_handle_at",
Action: types.ActAllow,
Args: []*types.Arg{},
},
{
Name: "open_by_handle_at",
Action: types.ActAllow,
@ -1706,6 +1701,11 @@ func DefaultProfile(rs *specs.Spec) *types.Seccomp {
Action: types.ActAllow,
Args: []*types.Arg{},
},
{
Name: "name_to_handle_at",
Action: types.ActAllow,
Args: []*types.Arg{},
},
{
Name: "perf_event_open",
Action: types.ActAllow,