github.com/sijibomii/docker@v0.0.0-20231230191044-5cf6ca554647/oci/defaults_linux.go (about) 1 package oci 2 3 import ( 4 "os" 5 "runtime" 6 7 "github.com/opencontainers/specs/specs-go" 8 ) 9 10 func sPtr(s string) *string { return &s } 11 func iPtr(i int64) *int64 { return &i } 12 func u32Ptr(i int64) *uint32 { u := uint32(i); return &u } 13 func fmPtr(i int64) *os.FileMode { fm := os.FileMode(i); return &fm } 14 15 // DefaultSpec returns default oci spec used by docker. 16 func DefaultSpec() specs.Spec { 17 s := specs.Spec{ 18 Version: specs.Version, 19 Platform: specs.Platform{ 20 OS: runtime.GOOS, 21 Arch: runtime.GOARCH, 22 }, 23 } 24 s.Mounts = []specs.Mount{ 25 { 26 Destination: "/proc", 27 Type: "proc", 28 Source: "proc", 29 Options: []string{"nosuid", "noexec", "nodev"}, 30 }, 31 { 32 Destination: "/dev", 33 Type: "tmpfs", 34 Source: "tmpfs", 35 Options: []string{"nosuid", "strictatime", "mode=755"}, 36 }, 37 { 38 Destination: "/dev/pts", 39 Type: "devpts", 40 Source: "devpts", 41 Options: []string{"nosuid", "noexec", "newinstance", "ptmxmode=0666", "mode=0620", "gid=5"}, 42 }, 43 { 44 Destination: "/sys", 45 Type: "sysfs", 46 Source: "sysfs", 47 Options: []string{"nosuid", "noexec", "nodev", "ro"}, 48 }, 49 { 50 Destination: "/sys/fs/cgroup", 51 Type: "cgroup", 52 Source: "cgroup", 53 Options: []string{"ro", "nosuid", "noexec", "nodev"}, 54 }, 55 { 56 Destination: "/dev/mqueue", 57 Type: "mqueue", 58 Source: "mqueue", 59 Options: []string{"nosuid", "noexec", "nodev"}, 60 }, 61 } 62 63 s.Process.Capabilities = []string{ 64 "CAP_CHOWN", 65 "CAP_DAC_OVERRIDE", 66 "CAP_FSETID", 67 "CAP_FOWNER", 68 "CAP_MKNOD", 69 "CAP_NET_RAW", 70 "CAP_SETGID", 71 "CAP_SETUID", 72 "CAP_SETFCAP", 73 "CAP_SETPCAP", 74 "CAP_NET_BIND_SERVICE", 75 "CAP_SYS_CHROOT", 76 "CAP_KILL", 77 "CAP_AUDIT_WRITE", 78 } 79 80 s.Linux = specs.Linux{ 81 MaskedPaths: []string{ 82 "/proc/kcore", 83 "/proc/latency_stats", 84 "/proc/timer_stats", 85 "/proc/sched_debug", 86 }, 87 ReadonlyPaths: []string{ 88 "/proc/asound", 89 "/proc/bus", 90 "/proc/fs", 91 "/proc/irq", 92 "/proc/sys", 93 "/proc/sysrq-trigger", 94 }, 95 Namespaces: []specs.Namespace{ 96 {Type: "mount"}, 97 {Type: "network"}, 98 {Type: "uts"}, 99 {Type: "pid"}, 100 {Type: "ipc"}, 101 }, 102 // Devices implicitly contains the following devices: 103 // null, zero, full, random, urandom, tty, console, and ptmx. 104 // ptmx is a bind-mount or symlink of the container's ptmx. 105 // See also: https://github.com/opencontainers/runtime-spec/blob/master/config-linux.md#default-devices 106 Devices: []specs.Device{ 107 { 108 Type: "c", 109 Path: "/dev/fuse", 110 Major: 10, 111 Minor: 229, 112 FileMode: fmPtr(0666), 113 UID: u32Ptr(0), 114 GID: u32Ptr(0), 115 }, 116 }, 117 Resources: &specs.Resources{ 118 Devices: []specs.DeviceCgroup{ 119 { 120 Allow: false, 121 Access: sPtr("rwm"), 122 }, 123 { 124 Allow: true, 125 Type: sPtr("c"), 126 Major: iPtr(1), 127 Minor: iPtr(5), 128 Access: sPtr("rwm"), 129 }, 130 { 131 Allow: true, 132 Type: sPtr("c"), 133 Major: iPtr(1), 134 Minor: iPtr(3), 135 Access: sPtr("rwm"), 136 }, 137 { 138 Allow: true, 139 Type: sPtr("c"), 140 Major: iPtr(1), 141 Minor: iPtr(9), 142 Access: sPtr("rwm"), 143 }, 144 { 145 Allow: true, 146 Type: sPtr("c"), 147 Major: iPtr(1), 148 Minor: iPtr(8), 149 Access: sPtr("rwm"), 150 }, 151 { 152 Allow: true, 153 Type: sPtr("c"), 154 Major: iPtr(5), 155 Minor: iPtr(0), 156 Access: sPtr("rwm"), 157 }, 158 { 159 Allow: true, 160 Type: sPtr("c"), 161 Major: iPtr(5), 162 Minor: iPtr(1), 163 Access: sPtr("rwm"), 164 }, 165 { 166 Allow: false, 167 Type: sPtr("c"), 168 Major: iPtr(10), 169 Minor: iPtr(229), 170 Access: sPtr("rwm"), 171 }, 172 }, 173 }, 174 } 175 176 return s 177 }