maemachinebroke/hakurei
1
0
Fork 0
forked from security/hakurei
Code Pull Requests Activity

container: raise CAP_DAC_OVERRIDE

Browse Source 
This is required for upperdir and workdir checks in overlayfs.

Signed-off-by: Ophestra <cat@gensokyo.uk>
This commit is contained in:
Ophestra
2025-08-08 00:43:19 +09:00
parent b353c3deea
commit f1a53d6116
2 changed files with 4 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
container/capability.go
View File

@@ -12,8 +12,9 @@ const (
PR_CAP_AMBIENT_RAISE = 0x2
PR_CAP_AMBIENT_CLEAR_ALL = 0x4
CAP_SYS_ADMIN = 0x15
CAP_SETPCAP = 0x8
CAP_SYS_ADMIN = 0x15
CAP_SETPCAP = 0x8
CAP_DAC_OVERRIDE = 0x1
)
type (

2
container/container.go
View File

@@ -146,7 +146,7 @@ func (p *Container) Start() error {
CLONE_NEWIPC | CLONE_NEWUTS | CLONE_NEWCGROUP,
// remain privileged for setup
AmbientCaps: []uintptr{CAP_SYS_ADMIN, CAP_SETPCAP},
AmbientCaps: []uintptr{CAP_SYS_ADMIN, CAP_SETPCAP, CAP_DAC_OVERRIDE},
UseCgroupFD: p.Cgroup != nil,
}