This repository has been archived by the owner on Sep 4, 2021. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 594
/
defaults.go
74 lines (66 loc) · 1.72 KB
/
defaults.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
// +build linux
package host
import "github.com/opencontainers/runc/libcontainer/configs"
// DefaultCapabilities is the default list of capabilities which are set inside
// a container, taken from:
// https://github.com/opencontainers/runc/blob/v1.0.0-rc8/libcontainer/SPEC.md#security
var DefaultCapabilities = []string{
"CAP_NET_RAW",
"CAP_NET_BIND_SERVICE",
"CAP_AUDIT_READ",
"CAP_AUDIT_WRITE",
"CAP_DAC_OVERRIDE",
"CAP_SETFCAP",
"CAP_SETPCAP",
"CAP_SETGID",
"CAP_SETUID",
"CAP_MKNOD",
"CAP_CHOWN",
"CAP_FOWNER",
"CAP_FSETID",
"CAP_KILL",
"CAP_SYS_CHROOT",
}
// DefaultAllowedDevices is the default list of devices containers are allowed
// to access
var DefaultAllowedDevices = fromConfigDevices(configs.DefaultAllowedDevices)
// DefaultAutoCreatedDevices is the default list of devices created inside
// containers
var DefaultAutoCreatedDevices = fromConfigDevices(configs.DefaultAllowedDevices)
func (d *Device) Config() *configs.Device {
return &configs.Device{
Type: d.Type,
Path: d.Path,
Major: d.Major,
Minor: d.Minor,
Permissions: d.Permissions,
FileMode: d.FileMode,
Uid: d.Uid,
Gid: d.Gid,
Allow: d.Allow,
}
}
func fromConfigDevices(ds []*configs.Device) []*Device {
res := make([]*Device, len(ds))
for i, d := range ds {
res[i] = &Device{
Type: d.Type,
Path: d.Path,
Major: d.Major,
Minor: d.Minor,
Permissions: d.Permissions,
FileMode: d.FileMode,
Uid: d.Uid,
Gid: d.Gid,
Allow: d.Allow,
}
}
return res
}
func ConfigDevices(ds []*Device) []*configs.Device {
res := make([]*configs.Device, len(ds))
for i, d := range ds {
res[i] = d.Config()
}
return res
}