bf2b8a05a0
Currently moby drops ep sets before the entrypoint is executed.
This does mean that with combination of no-new-privileges the
file capabilities stops working with non-root containers.
This is undesired as the usability of such containers is harmed
comparing to running root containers.
This commit therefore sets the effective/permitted set in order
to allow use of file capabilities or libcap(3)/prctl(2) respectively
with combination of no-new-privileges and without respectively.
For no-new-privileges the container will be able to obtain capabilities
that are requested.
Signed-off-by: Luboslav Pivarc <lpivarc@redhat.com>
Signed-off-by: Bjorn Neergaard <bjorn.neergaard@docker.com>
(cherry picked from commit
|
||
|---|---|---|
| .. | ||
| caps | ||
| fixtures | ||
| defaults.go | ||
| devices_linux.go | ||
| fuzz_test.go | ||
| namespaces.go | ||
| oci.go | ||
| oci_test.go | ||
| seccomp_test.go | ||