moby/oci
Luboslav Pivarc 09b65e0082
Do not drop effective&permitted set
Currently moby drops ep sets before the entrypoint is executed.
This does mean that with combination of no-new-privileges the
file capabilities stops working with non-root containers.
This is undesired as the usability of such containers is harmed
comparing to running root containers.

This commit therefore sets the effective/permitted set in order
to allow use of file capabilities or libcap(3)/prctl(2) respectively
with combination of no-new-privileges and without respectively.

For no-new-privileges the container will be able to obtain capabilities
that are requested.

Signed-off-by: Luboslav Pivarc <lpivarc@redhat.com>
Signed-off-by: Bjorn Neergaard <bjorn.neergaard@docker.com>
(cherry picked from commit 3aef732e61)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-08-13 22:45:39 +02:00
..
caps oci/caps: limit available capabilities to current environment 2021-10-15 16:12:26 +02:00
fixtures Fix permissions on oci fixtures files 2020-11-27 10:29:47 +07:00
defaults.go oci: inheritable capability set should be empty 2022-02-08 14:33:44 -08:00
devices_linux.go runconfig, oci, image, layer, distribution: fix empty-lines (revive) 2022-10-01 00:01:14 +02:00
devices_linux_test.go replace uses of deprecated libcontainer/configs.Device 2021-06-02 17:55:51 +02:00
namespaces.go daemon: ensure OCI options play nicely together 2023-08-13 22:45:15 +02:00
oci.go Do not drop effective&permitted set 2023-08-13 22:45:39 +02:00
oci_test.go Fix daemon panic when starting container with invalid device cgroup rule 2021-01-22 16:02:19 +01:00
seccomp_test.go refactor: move from io/ioutil to io and os package 2021-08-27 14:56:57 +08:00