From f1a53d611604482db975b312f4eeb6a81ea95ce5 Mon Sep 17 00:00:00 2001
From: Ophestra <cat@gensokyo.uk>
Date: Fri, 8 Aug 2025 00:43:19 +0900
Subject: [PATCH] container: raise CAP_DAC_OVERRIDE

This is required for upperdir and workdir checks in overlayfs.

Signed-off-by: Ophestra <cat@gensokyo.uk>
---
 container/capability.go | 5 +++--
 container/container.go  | 2 +-
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/container/capability.go b/container/capability.go
index 7c36ce9..fda2fb2 100644
--- a/container/capability.go
+++ b/container/capability.go
@@ -12,8 +12,9 @@ const (
 	PR_CAP_AMBIENT_RAISE     = 0x2
 	PR_CAP_AMBIENT_CLEAR_ALL = 0x4
 
-	CAP_SYS_ADMIN = 0x15
-	CAP_SETPCAP   = 0x8
+	CAP_SYS_ADMIN    = 0x15
+	CAP_SETPCAP      = 0x8
+	CAP_DAC_OVERRIDE = 0x1
 )
 
 type (
diff --git a/container/container.go b/container/container.go
index 5a7858f..a0e1c2d 100644
--- a/container/container.go
+++ b/container/container.go
@@ -146,7 +146,7 @@ func (p *Container) Start() error {
 			CLONE_NEWIPC | CLONE_NEWUTS | CLONE_NEWCGROUP,
 
 		// remain privileged for setup
-		AmbientCaps: []uintptr{CAP_SYS_ADMIN, CAP_SETPCAP},
+		AmbientCaps: []uintptr{CAP_SYS_ADMIN, CAP_SETPCAP, CAP_DAC_OVERRIDE},
 
 		UseCgroupFD: p.Cgroup != nil,
 	}