moby/oci
Sebastiaan van Stijn 485cf38d48
oci/caps: limit available capabilities to current environment
In situations where docker runs in an environment where capabilities are limited,
sucn as docker-in-docker in a container created by older versions of docker, or
in a container where some capabilities have been disabled, starting a privileged
container may fail, because even though the _kernel_ supports a capability, the
capability is not available.

This patch attempts to address this problem by limiting the list of "known" capa-
bilities on the set of effective capabilties for the current process. This code
is based on the code in containerd's "caps" package.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-10-15 16:12:26 +02:00
..
caps oci/caps: limit available capabilities to current environment 2021-10-15 16:12:26 +02:00
fixtures Fix permissions on oci fixtures files 2020-11-27 10:29:47 +07:00
defaults.go daemon, oci: remove LCOW bits 2021-07-27 13:35:59 +02:00
devices_linux.go replace uses of deprecated libcontainer/configs.Device 2021-06-02 17:55:51 +02:00
devices_linux_test.go replace uses of deprecated libcontainer/configs.Device 2021-06-02 17:55:51 +02:00
namespaces.go goimports: fix imports 2019-09-18 12:56:54 +02:00
oci.go reformat "nolint" comments 2021-06-10 13:03:42 +02:00
oci_test.go Fix daemon panic when starting container with invalid device cgroup rule 2021-01-22 16:02:19 +01:00
seccomp_test.go refactor: move from io/ioutil to io and os package 2021-08-27 14:56:57 +08:00