We use cookies to ensure you get the best experience on our website
Inicio Explorar Axuda
Rexistro Iniciar sesión
0ct0pu5
/
moby
1
0
Fork 0
Ficheiros Incidencias 0 Pull Requests 0 Wiki
Árbore: be2f53ece8
Ramas Etiquetas
moby
/
daemon
/
execdriver
/
native
/
template
/
default_template_linux.go

default_template_linux.go 2.0 KB
Histórico Raw

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798 
  1. package template
    2. 

  2. 

  3. import (
    4. 

  4. 	"syscall"
    5. 

  5. 

  6. 	"github.com/opencontainers/runc/libcontainer/apparmor"
    7. 

  7. 	"github.com/opencontainers/runc/libcontainer/configs"
    8. 

  8. )
    9. 

  9. 

  10. const defaultMountFlags = syscall.MS_NOEXEC | syscall.MS_NOSUID | syscall.MS_NODEV
    11. 

  11. 

  12. // New returns the docker default configuration for libcontainer
    13. 

  13. func New() *configs.Config {
    14. 

  14. 	container := &configs.Config{
    15. 

  15. 		Capabilities: []string{
    16. 

  16. 			"CHOWN",
    17. 

  17. 			"DAC_OVERRIDE",
    18. 

  18. 			"FSETID",
    19. 

  19. 			"FOWNER",
    20. 

  20. 			"MKNOD",
    21. 

  21. 			"NET_RAW",
    22. 

  22. 			"SETGID",
    23. 

  23. 			"SETUID",
    24. 

  24. 			"SETFCAP",
    25. 

  25. 			"SETPCAP",
    26. 

  26. 			"NET_BIND_SERVICE",
    27. 

  27. 			"SYS_CHROOT",
    28. 

  28. 			"KILL",
    29. 

  29. 			"AUDIT_WRITE",
    30. 

  30. 		},
    31. 

  31. 		Namespaces: configs.Namespaces([]configs.Namespace{
    32. 

  32. 			{Type: "NEWNS"},
    33. 

  33. 			{Type: "NEWUTS"},
    34. 

  34. 			{Type: "NEWIPC"},
    35. 

  35. 			{Type: "NEWPID"},
    36. 

  36. 			{Type: "NEWNET"},
    37. 

  37. 			{Type: "NEWUSER"},
    38. 

  38. 		}),
    39. 

  39. 		Cgroups: &configs.Cgroup{
    40. 

  40. 			Parent:           "docker",
    41. 

  41. 			AllowAllDevices:  false,
    42. 

  42. 			MemorySwappiness: -1,
    43. 

  43. 		},
    44. 

  44. 		Mounts: []*configs.Mount{
    45. 

  45. 			{
    46. 

  46. 				Source:      "proc",
    47. 

  47. 				Destination: "/proc",
    48. 

  48. 				Device:      "proc",
    49. 

  49. 				Flags:       defaultMountFlags,
    50. 

  50. 			},
    51. 

  51. 			{
    52. 

  52. 				Source:      "tmpfs",
    53. 

  53. 				Destination: "/dev",
    54. 

  54. 				Device:      "tmpfs",
    55. 

  55. 				Flags:       syscall.MS_NOSUID | syscall.MS_STRICTATIME,
    56. 

  56. 				Data:        "mode=755",
    57. 

  57. 			},
    58. 

  58. 			{
    59. 

  59. 				Source:      "devpts",
    60. 

  60. 				Destination: "/dev/pts",
    61. 

  61. 				Device:      "devpts",
    62. 

  62. 				Flags:       syscall.MS_NOSUID | syscall.MS_NOEXEC,
    63. 

  63. 				Data:        "newinstance,ptmxmode=0666,mode=0620,gid=5",
    64. 

  64. 			},
    65. 

  65. 			{
    66. 

  66. 				Source:      "sysfs",
    67. 

  67. 				Destination: "/sys",
    68. 

  68. 				Device:      "sysfs",
    69. 

  69. 				Flags:       defaultMountFlags | syscall.MS_RDONLY,
    70. 

  70. 			},
    71. 

  71. 			{
    72. 

  72. 				Source:      "cgroup",
    73. 

  73. 				Destination: "/sys/fs/cgroup",
    74. 

  74. 				Device:      "cgroup",
    75. 

  75. 				Flags:       defaultMountFlags | syscall.MS_RDONLY,
    76. 

  76. 			},
    77. 

  77. 		},
    78. 

  78. 		MaskPaths: []string{
    79. 

  79. 			"/proc/kcore",
    80. 

  80. 			"/proc/latency_stats",
    81. 

  81. 			"/proc/timer_stats",
    82. 

  82. 		},
    83. 

  83. 		ReadonlyPaths: []string{
    84. 

  84. 			"/proc/asound",
    85. 

  85. 			"/proc/bus",
    86. 

  86. 			"/proc/fs",
    87. 

  87. 			"/proc/irq",
    88. 

  88. 			"/proc/sys",
    89. 

  89. 			"/proc/sysrq-trigger",
    90. 

  90. 		},
    91. 

  91. 	}
    92. 

  92. 

  93. 	if apparmor.IsEnabled() {
    94. 

  94. 		container.AppArmorProfile = "docker-default"
    95. 

  95. 	}
    96. 

  96. 

  97. 	return container
    98. 

  98. }
    99.

Contact | Legal | Takedown | Status
Self-hosted public services - About
NibbleSpot by 0ct0pu5