Skip to content

Commit 4e179bd

Browse files
justincormackjustincormack
committed
Set ambient capabilities where supported
Since Linux 4.3 ambient capabilities are available. If set these allow unprivileged child processes to inherit capabilities, while at present there is no means to set capabilities on non root processes, other than via filesystem capabilities which are not usually supported in image formats. With ambient capabilities non root processes can be given capabilities as well, and so the main reason to use root in containers goes away, and capabilities work as expected. The code falls back to the existing behaviour if ambient capabilities are not supported. Signed-off-by: Justin Cormack <[email protected]>
1 parent 1359131 commit 4e179bd

File tree

6 files changed

+71
-16
lines changed

6 files changed

+71
-16
lines changed

Godeps/Godeps.json

Lines changed: 1 addition & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

Godeps/_workspace/src/github.com/syndtr/gocapability/capability/capability.go

Lines changed: 10 additions & 10 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

Godeps/_workspace/src/github.com/syndtr/gocapability/capability/capability_linux.go

Lines changed: 46 additions & 4 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

Godeps/_workspace/src/github.com/syndtr/gocapability/capability/enum.go

Lines changed: 4 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

Godeps/_workspace/src/github.com/syndtr/gocapability/capability/syscall_linux.go

Lines changed: 9 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

libcontainer/capabilities_linux.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -10,7 +10,7 @@ import (
1010
"github.com/syndtr/gocapability/capability"
1111
)
1212

13-
const allCapabilityTypes = capability.CAPS | capability.BOUNDS
13+
const allCapabilityTypes = capability.CAPS | capability.BOUNDS | capability.AMBS
1414

1515
var capabilityMap map[string]capability.Cap
1616

0 commit comments

Comments
 (0)