Browse code
Gate name_to_handle_at by CAP_SYS_ADMIN not CAP_DAC_READ_SEARCH
Only open_by_handle_at requires CAP_DAC_READ_SEARCH.
This allows systemd to run with only `--cap-add SYS_ADMIN`
rather than having to also add `--cap-add DAC_READ_SEARCH`
as well which it does not really need.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
Justin Cormack authored on 2016/08/10 20:22:36Showing 1 changed files
| ... | ... |
@@ -1668,11 +1668,6 @@ func DefaultProfile(rs *specs.Spec) *types.Seccomp {
|
| 1668 | 1668 |
case "CAP_DAC_READ_SEARCH": |
| 1669 | 1669 |
syscalls = append(syscalls, []*types.Syscall{
|
| 1670 | 1670 |
{
|
| 1671 |
- Name: "name_to_handle_at", |
|
| 1672 |
- Action: types.ActAllow, |
|
| 1673 |
- Args: []*types.Arg{},
|
|
| 1674 |
- }, |
|
| 1675 |
- {
|
|
| 1676 | 1671 |
Name: "open_by_handle_at", |
| 1677 | 1672 |
Action: types.ActAllow, |
| 1678 | 1673 |
Args: []*types.Arg{},
|
| ... | ... |
@@ -1707,6 +1702,11 @@ func DefaultProfile(rs *specs.Spec) *types.Seccomp {
|
| 1707 | 1707 |
Args: []*types.Arg{},
|
| 1708 | 1708 |
}, |
| 1709 | 1709 |
{
|
| 1710 |
+ Name: "name_to_handle_at", |
|
| 1711 |
+ Action: types.ActAllow, |
|
| 1712 |
+ Args: []*types.Arg{},
|
|
| 1713 |
+ }, |
|
| 1714 |
+ {
|
|
| 1710 | 1715 |
Name: "perf_event_open", |
| 1711 | 1716 |
Action: types.ActAllow, |
| 1712 | 1717 |
Args: []*types.Arg{},
|