Skip to content

Commit 55cb777

Browse files
liudlongwenlingz
liudlong
authored and
wenlingz
committed
ACRN: dm: Add new capabilities for runC container
The patch adds more Linux capabilities for runC container. In ACRN runC we will map native root directory to the container, when we launch UOS from container it need more Linux capabilities to operate dev node. So add the capabilities in runC configuration file. Tracked-On: #2020 Signed-off-by: Long Liu <long.liu@intel.com> Reviewed-by: Yu Wang <yu1.wang@intel.com>
1 parent 5690b76 commit 55cb777

File tree

1 file changed

+180
-5
lines changed

1 file changed

+180
-5
lines changed

devicemodel/samples/apl-mrb/runC.json

Lines changed: 180 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -16,35 +16,210 @@
1616
"cwd": "/",
1717
"capabilities": {
1818
"bounding": [
19+
"CAP_AUDIT_WRITE",
20+
"CAP_CHOWN",
21+
"CAP_DAC_OVERRIDE",
22+
"CAP_DAC_READ_SEARCH",
23+
"CAP_FOWNER",
24+
"CAP_FSETID",
25+
"CAP_KILL",
26+
"CAP_SETGID",
27+
"CAP_SETUID",
28+
"CAP_SETPCAP",
29+
"CAP_LINUX_IMMUTABLE",
30+
"CAP_NET_BIND_SERVICE",
31+
"CAP_NET_BROADCAST",
32+
"CAP_NET_ADMIN",
33+
"CAP_NET_RAW",
34+
"CAP_IPC_LOCK",
35+
"CAP_IPC_OWNER",
36+
"CAP_SYS_MODULE",
37+
"CAP_SYS_RAWIO",
38+
"CAP_SYS_CHROOT",
39+
"CAP_SYS_PTRACE",
40+
"CAP_SYS_PACCT",
1941
"CAP_SYS_ADMIN",
42+
"CAP_SYS_BOOT",
43+
"CAP_SYS_NICE",
2044
"CAP_SYS_RESOURCE",
45+
"CAP_SYS_TIME",
46+
"CAP_SYS_TTY_CONFIG",
47+
"CAP_MKNOD",
48+
"CAP_LEASE",
49+
"CAP_AUDIT_WRITE",
50+
"CAP_AUDIT_CONTROL",
51+
"CAP_SETFCAP",
52+
"CAP_MAC_OVERRIDE",
53+
"CAP_MAC_ADMIN",
54+
"CAP_SYSLOG",
2155
"CAP_WAKE_ALARM",
22-
"CAP_SYS_MODULE"
56+
"CAP_BLOCK_SUSPEND",
57+
"CAP_AUDIT_READ"
2358

2459
],
2560
"effective": [
61+
"CAP_AUDIT_WRITE",
62+
"CAP_CHOWN",
63+
"CAP_DAC_OVERRIDE",
64+
"CAP_DAC_READ_SEARCH",
65+
"CAP_FOWNER",
66+
"CAP_FSETID",
67+
"CAP_KILL",
68+
"CAP_SETGID",
69+
"CAP_SETUID",
70+
"CAP_SETPCAP",
71+
"CAP_LINUX_IMMUTABLE",
72+
"CAP_NET_BIND_SERVICE",
73+
"CAP_NET_BROADCAST",
74+
"CAP_NET_ADMIN",
75+
"CAP_NET_RAW",
76+
"CAP_IPC_LOCK",
77+
"CAP_IPC_OWNER",
78+
"CAP_SYS_MODULE",
79+
"CAP_SYS_RAWIO",
80+
"CAP_SYS_CHROOT",
81+
"CAP_SYS_PTRACE",
82+
"CAP_SYS_PACCT",
2683
"CAP_SYS_ADMIN",
84+
"CAP_SYS_BOOT",
85+
"CAP_SYS_NICE",
2786
"CAP_SYS_RESOURCE",
87+
"CAP_SYS_TIME",
88+
"CAP_SYS_TTY_CONFIG",
89+
"CAP_MKNOD",
90+
"CAP_LEASE",
91+
"CAP_AUDIT_WRITE",
92+
"CAP_AUDIT_CONTROL",
93+
"CAP_SETFCAP",
94+
"CAP_MAC_OVERRIDE",
95+
"CAP_MAC_ADMIN",
96+
"CAP_SYSLOG",
2897
"CAP_WAKE_ALARM",
29-
"CAP_SYS_MODULE"
98+
"CAP_BLOCK_SUSPEND",
99+
"CAP_AUDIT_READ"
30100
],
31101
"inheritable": [
102+
"CAP_AUDIT_WRITE",
103+
"CAP_CHOWN",
104+
"CAP_DAC_OVERRIDE",
105+
"CAP_DAC_READ_SEARCH",
106+
"CAP_FOWNER",
107+
"CAP_FSETID",
108+
"CAP_KILL",
109+
"CAP_SETGID",
110+
"CAP_SETUID",
111+
"CAP_SETPCAP",
112+
"CAP_LINUX_IMMUTABLE",
113+
"CAP_NET_BIND_SERVICE",
114+
"CAP_NET_BROADCAST",
115+
"CAP_NET_ADMIN",
116+
"CAP_NET_RAW",
117+
"CAP_IPC_LOCK",
118+
"CAP_IPC_OWNER",
119+
"CAP_SYS_MODULE",
120+
"CAP_SYS_RAWIO",
121+
"CAP_SYS_CHROOT",
122+
"CAP_SYS_PTRACE",
123+
"CAP_SYS_PACCT",
32124
"CAP_SYS_ADMIN",
125+
"CAP_SYS_BOOT",
126+
"CAP_SYS_NICE",
33127
"CAP_SYS_RESOURCE",
128+
"CAP_SYS_TIME",
129+
"CAP_SYS_TTY_CONFIG",
130+
"CAP_MKNOD",
131+
"CAP_LEASE",
132+
"CAP_AUDIT_WRITE",
133+
"CAP_AUDIT_CONTROL",
134+
"CAP_SETFCAP",
135+
"CAP_MAC_OVERRIDE",
136+
"CAP_MAC_ADMIN",
137+
"CAP_SYSLOG",
34138
"CAP_WAKE_ALARM",
35-
"CAP_SYS_MODULE"
139+
"CAP_BLOCK_SUSPEND",
140+
"CAP_AUDIT_READ"
36141
],
37142
"permitted": [
143+
"CAP_AUDIT_WRITE",
144+
"CAP_CHOWN",
145+
"CAP_DAC_OVERRIDE",
146+
"CAP_DAC_READ_SEARCH",
147+
"CAP_FOWNER",
148+
"CAP_FSETID",
149+
"CAP_KILL",
150+
"CAP_SETGID",
151+
"CAP_SETUID",
152+
"CAP_SETPCAP",
153+
"CAP_LINUX_IMMUTABLE",
154+
"CAP_NET_BIND_SERVICE",
155+
"CAP_NET_BROADCAST",
156+
"CAP_NET_ADMIN",
157+
"CAP_NET_RAW",
158+
"CAP_IPC_LOCK",
159+
"CAP_IPC_OWNER",
160+
"CAP_SYS_MODULE",
161+
"CAP_SYS_RAWIO",
162+
"CAP_SYS_CHROOT",
163+
"CAP_SYS_PTRACE",
164+
"CAP_SYS_PACCT",
38165
"CAP_SYS_ADMIN",
166+
"CAP_SYS_BOOT",
167+
"CAP_SYS_NICE",
39168
"CAP_SYS_RESOURCE",
169+
"CAP_SYS_TIME",
170+
"CAP_SYS_TTY_CONFIG",
171+
"CAP_MKNOD",
172+
"CAP_LEASE",
173+
"CAP_AUDIT_WRITE",
174+
"CAP_AUDIT_CONTROL",
175+
"CAP_SETFCAP",
176+
"CAP_MAC_OVERRIDE",
177+
"CAP_MAC_ADMIN",
178+
"CAP_SYSLOG",
40179
"CAP_WAKE_ALARM",
41-
"CAP_SYS_MODULE"
180+
"CAP_BLOCK_SUSPEND",
181+
"CAP_AUDIT_READ"
42182
],
43183
"ambient": [
184+
"CAP_AUDIT_WRITE",
185+
"CAP_CHOWN",
186+
"CAP_DAC_OVERRIDE",
187+
"CAP_DAC_READ_SEARCH",
188+
"CAP_FOWNER",
189+
"CAP_FSETID",
190+
"CAP_KILL",
191+
"CAP_SETGID",
192+
"CAP_SETUID",
193+
"CAP_SETPCAP",
194+
"CAP_LINUX_IMMUTABLE",
195+
"CAP_NET_BIND_SERVICE",
196+
"CAP_NET_BROADCAST",
197+
"CAP_NET_ADMIN",
198+
"CAP_NET_RAW",
199+
"CAP_IPC_LOCK",
200+
"CAP_IPC_OWNER",
201+
"CAP_SYS_MODULE",
202+
"CAP_SYS_RAWIO",
203+
"CAP_SYS_CHROOT",
204+
"CAP_SYS_PTRACE",
205+
"CAP_SYS_PACCT",
44206
"CAP_SYS_ADMIN",
207+
"CAP_SYS_BOOT",
208+
"CAP_SYS_NICE",
45209
"CAP_SYS_RESOURCE",
210+
"CAP_SYS_TIME",
211+
"CAP_SYS_TTY_CONFIG",
212+
"CAP_MKNOD",
213+
"CAP_LEASE",
214+
"CAP_AUDIT_WRITE",
215+
"CAP_AUDIT_CONTROL",
216+
"CAP_SETFCAP",
217+
"CAP_MAC_OVERRIDE",
218+
"CAP_MAC_ADMIN",
219+
"CAP_SYSLOG",
46220
"CAP_WAKE_ALARM",
47-
"CAP_SYS_MODULE"
221+
"CAP_BLOCK_SUSPEND",
222+
"CAP_AUDIT_READ"
48223
]
49224
}
50225
},

0 commit comments

Comments
 (0)