Skip to content

Commit c1ca124

Browse files
justincormackjustincormack
committed
Gate name_to_handle_at by CAP_SYS_ADMIN not CAP_DAC_READ_SEARCH
Only open_by_handle_at requires CAP_DAC_READ_SEARCH. This allows systemd to run with only `--cap-add SYS_ADMIN` rather than having to also add `--cap-add DAC_READ_SEARCH` as well which it does not really need. Signed-off-by: Justin Cormack <[email protected]>
1 parent 2f167a7 commit c1ca124

File tree

1 file changed

+5
-5
lines changed

1 file changed

+5
-5
lines changed

profiles/seccomp/seccomp_default.go

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1667,11 +1667,6 @@ func DefaultProfile(rs *specs.Spec) *types.Seccomp {
16671667
switch cap {
16681668
case "CAP_DAC_READ_SEARCH":
16691669
syscalls = append(syscalls, []*types.Syscall{
1670-
{
1671-
Name: "name_to_handle_at",
1672-
Action: types.ActAllow,
1673-
Args: []*types.Arg{},
1674-
},
16751670
{
16761671
Name: "open_by_handle_at",
16771672
Action: types.ActAllow,
@@ -1706,6 +1701,11 @@ func DefaultProfile(rs *specs.Spec) *types.Seccomp {
17061701
Action: types.ActAllow,
17071702
Args: []*types.Arg{},
17081703
},
1704+
{
1705+
Name: "name_to_handle_at",
1706+
Action: types.ActAllow,
1707+
Args: []*types.Arg{},
1708+
},
17091709
{
17101710
Name: "perf_event_open",
17111711
Action: types.ActAllow,

0 commit comments

Comments
 (0)