github.com/pf-qiu/concourse/v6@v6.7.3-0.20201207032516-1f455d73275f/worker/runtime/spec/capabilities.go (about) 1 package spec 2 3 import "github.com/opencontainers/runtime-spec/specs-go" 4 5 func OciCapabilities(privileged bool) specs.LinuxCapabilities { 6 if !privileged { 7 return UnprivilegedContainerCapabilities 8 } 9 10 return PrivilegedContainerCapabilities 11 } 12 13 var ( 14 PrivilegedContainerCapabilities = specs.LinuxCapabilities{ 15 Effective: privilegedCaps, 16 Bounding: privilegedCaps, 17 Inheritable: privilegedCaps, 18 Permitted: privilegedCaps, 19 } 20 21 UnprivilegedContainerCapabilities = specs.LinuxCapabilities{ 22 Effective: unprivilegedCaps, 23 Bounding: unprivilegedCaps, 24 Inheritable: unprivilegedCaps, 25 Permitted: unprivilegedCaps, 26 } 27 28 unprivilegedCaps = []string{ 29 "CAP_AUDIT_WRITE", 30 "CAP_CHOWN", 31 "CAP_DAC_OVERRIDE", 32 "CAP_FOWNER", 33 "CAP_FSETID", 34 "CAP_KILL", 35 "CAP_MKNOD", 36 "CAP_NET_BIND_SERVICE", 37 "CAP_NET_RAW", 38 "CAP_SETFCAP", 39 "CAP_SETGID", 40 "CAP_SETPCAP", 41 "CAP_SETUID", 42 "CAP_SYS_CHROOT", 43 } 44 45 privilegedCaps = []string{ 46 "CAP_AUDIT_CONTROL", 47 "CAP_AUDIT_READ", 48 "CAP_AUDIT_WRITE", 49 "CAP_BLOCK_SUSPEND", 50 "CAP_CHOWN", 51 "CAP_DAC_OVERRIDE", 52 "CAP_DAC_READ_SEARCH", 53 "CAP_FOWNER", 54 "CAP_FSETID", 55 "CAP_IPC_LOCK", 56 "CAP_IPC_OWNER", 57 "CAP_KILL", 58 "CAP_LEASE", 59 "CAP_LINUX_IMMUTABLE", 60 "CAP_MAC_ADMIN", 61 "CAP_MAC_OVERRIDE", 62 "CAP_MKNOD", 63 "CAP_NET_ADMIN", 64 "CAP_NET_BIND_SERVICE", 65 "CAP_NET_BROADCAST", 66 "CAP_NET_RAW", 67 "CAP_SETFCAP", 68 "CAP_SETGID", 69 "CAP_SETPCAP", 70 "CAP_SETUID", 71 "CAP_SYSLOG", 72 "CAP_SYS_ADMIN", 73 "CAP_SYS_BOOT", 74 "CAP_SYS_CHROOT", 75 "CAP_SYS_MODULE", 76 "CAP_SYS_NICE", 77 "CAP_SYS_PACCT", 78 "CAP_SYS_PTRACE", 79 "CAP_SYS_RAWIO", 80 "CAP_SYS_RESOURCE", 81 "CAP_SYS_TIME", 82 "CAP_SYS_TTY_CONFIG", 83 "CAP_WAKE_ALARM", 84 } 85 )