moby/profiles/seccomp
Sebastiaan van Stijn 8912c1fade
seccomp: allow "bpf", "perf_event_open", gated by CAP_BPF, CAP_PERFMON
Update the profile to make use of CAP_BPF and CAP_PERFMON capabilities. Prior to
kernel 5.8, bpf and perf_event_open required CAP_SYS_ADMIN. This change enables
finer control of the privilege setting, thus allowing us to run certain system
tracing tools with minimal privileges.

Based on the original patch from Henry Wang in the containerd repository.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 7b7d1132e8)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-08-18 18:36:49 +02:00
..
fixtures seccomp: Use explicit DefaultErrnoRet 2021-07-30 19:13:21 +02:00
default.json seccomp: allow "bpf", "perf_event_open", gated by CAP_BPF, CAP_PERFMON 2022-08-18 18:36:49 +02:00
default_linux.go seccomp: allow "bpf", "perf_event_open", gated by CAP_BPF, CAP_PERFMON 2022-08-18 18:36:49 +02:00
generate.go refactor: move from io/ioutil to io and os package 2021-08-27 14:56:57 +08:00
kernel_linux.go all: use unix.ByteSliceToString for utsname fields 2022-05-18 17:13:20 -07:00
kernel_linux_test.go seccomp: implement marshal/unmarshall for MinVersion 2020-10-07 17:48:25 +02:00
seccomp.go seccomp: Seccomp: embed oci-spec LinuxSeccomp, add support for seccomp flags 2021-07-17 15:57:54 +02:00
seccomp_linux.go seccomp: Seccomp: embed oci-spec LinuxSeccomp, add support for seccomp flags 2021-07-17 15:57:54 +02:00
seccomp_test.go refactor: move from io/ioutil to io and os package 2021-08-27 14:56:57 +08:00