moby/oci/caps
Sebastiaan van Stijn 485cf38d48
oci/caps: limit available capabilities to current environment
In situations where docker runs in an environment where capabilities are limited,
sucn as docker-in-docker in a container created by older versions of docker, or
in a container where some capabilities have been disabled, starting a privileged
container may fail, because even though the _kernel_ supports a capability, the
capability is not available.

This patch attempts to address this problem by limiting the list of "known" capa-
bilities on the set of effective capabilties for the current process. This code
is based on the code in containerd's "caps" package.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-10-15 16:12:26 +02:00
..
defaults.go Move DefaultCapabilities() to caps package 2019-11-14 21:13:16 +02:00
utils.go oci/caps: limit available capabilities to current environment 2021-10-15 16:12:26 +02:00
utils_linux.go oci/caps: limit available capabilities to current environment 2021-10-15 16:12:26 +02:00
utils_other.go oci/caps: limit available capabilities to current environment 2021-10-15 16:12:26 +02:00