3aef732e61
Currently moby drops ep sets before the entrypoint is executed. This does mean that with combination of no-new-privileges the file capabilities stops working with non-root containers. This is undesired as the usability of such containers is harmed comparing to running root containers. This commit therefore sets the effective/permitted set in order to allow use of file capabilities or libcap(3)/prctl(2) respectively with combination of no-new-privileges and without respectively. For no-new-privileges the container will be able to obtain capabilities that are requested. Signed-off-by: Luboslav Pivarc <lpivarc@redhat.com> Signed-off-by: Bjorn Neergaard <bjorn.neergaard@docker.com> |
||
|---|---|---|
| .. | ||
| caps | ||
| fixtures | ||
| defaults.go | ||
| devices_linux.go | ||
| fuzz_test.go | ||
| namespaces.go | ||
| oci.go | ||
| oci_test.go | ||
| seccomp_test.go | ||