Skip to content

Commit cbfc922

Browse files
crosbymichaelcrosbymichael
authored
Merge pull request containerd#2241 from justincormack/ambient_seccomp
The set of bounding capabilities is the largest group
2 parents def3069 + 9435aee commit cbfc922

File tree

1 file changed

+3
-19
lines changed

1 file changed

+3
-19
lines changed

contrib/seccomp/seccomp_default.go

Lines changed: 3 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -444,25 +444,8 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp {
444444
})
445445
}
446446

447-
// make a map of enabled capabilities
448-
caps := make(map[string]bool)
447+
admin := false
449448
for _, c := range sp.Process.Capabilities.Bounding {
450-
caps[c] = true
451-
}
452-
for _, c := range sp.Process.Capabilities.Effective {
453-
caps[c] = true
454-
}
455-
for _, c := range sp.Process.Capabilities.Inheritable {
456-
caps[c] = true
457-
}
458-
for _, c := range sp.Process.Capabilities.Permitted {
459-
caps[c] = true
460-
}
461-
for _, c := range sp.Process.Capabilities.Ambient {
462-
caps[c] = true
463-
}
464-
465-
for c := range caps {
466449
switch c {
467450
case "CAP_DAC_READ_SEARCH":
468451
s.Syscalls = append(s.Syscalls, specs.LinuxSyscall{
@@ -471,6 +454,7 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp {
471454
Args: []specs.LinuxSeccompArg{},
472455
})
473456
case "CAP_SYS_ADMIN":
457+
admin = true
474458
s.Syscalls = append(s.Syscalls, specs.LinuxSyscall{
475459
Names: []string{
476460
"bpf",
@@ -558,7 +542,7 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp {
558542
}
559543
}
560544

561-
if !caps["CAP_SYS_ADMIN"] {
545+
if !admin {
562546
switch runtime.GOARCH {
563547
case "s390", "s390x":
564548
s.Syscalls = append(s.Syscalls, specs.LinuxSyscall{

0 commit comments

Comments
 (0)