Skip to content

Commit 51cf56f

Browse files
crosbymichaelcrosbymichael
authored
Merge pull request #2248 from stevvooe/cherry-pick-#2241
[release/1.0] The set of bounding capabilities is the largest group
2 parents 2b3b44f + 69c2686 commit 51cf56f

1 file changed

Lines changed: 3 additions & 19 deletions

File tree

contrib/seccomp/seccomp_default.go

Lines changed: 3 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -428,25 +428,8 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp {
428428
})
429429
}
430430

431-
// make a map of enabled capabilities
432-
caps := make(map[string]bool)
431+
admin := false
433432
for _, c := range sp.Process.Capabilities.Bounding {
434-
caps[c] = true
435-
}
436-
for _, c := range sp.Process.Capabilities.Effective {
437-
caps[c] = true
438-
}
439-
for _, c := range sp.Process.Capabilities.Inheritable {
440-
caps[c] = true
441-
}
442-
for _, c := range sp.Process.Capabilities.Permitted {
443-
caps[c] = true
444-
}
445-
for _, c := range sp.Process.Capabilities.Ambient {
446-
caps[c] = true
447-
}
448-
449-
for c := range caps {
450433
switch c {
451434
case "CAP_DAC_READ_SEARCH":
452435
s.Syscalls = append(s.Syscalls, specs.LinuxSyscall{
@@ -455,6 +438,7 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp {
455438
Args: []specs.LinuxSeccompArg{},
456439
})
457440
case "CAP_SYS_ADMIN":
441+
admin = true
458442
s.Syscalls = append(s.Syscalls, specs.LinuxSyscall{
459443
Names: []string{
460444
"bpf",
@@ -542,7 +526,7 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp {
542526
}
543527
}
544528

545-
if !caps["CAP_SYS_ADMIN"] {
529+
if !admin {
546530
switch runtime.GOARCH {
547531
case "s390", "s390x":
548532
s.Syscalls = append(s.Syscalls, specs.LinuxSyscall{

0 commit comments

Comments
 (0)