// New returns the docker default configuration for libcontainer func New() *libcontainer.Container { container := &libcontainer.Container{ Capabilities: []string{ "CHOWN", "DAC_OVERRIDE", "FOWNER", "MKNOD", "NET_RAW", "SETGID", "SETUID", "SETFCAP", "SETPCAP", "NET_BIND_SERVICE", "SYS_CHROOT", "KILL", }, Namespaces: map[string]bool{ "NEWNS": true, "NEWUTS": true, "NEWIPC": true, "NEWPID": true, "NEWNET": true, }, Cgroups: &cgroups.Cgroup{ Parent: "docker", AllowAllDevices: false, }, Context: libcontainer.Context{}, } if apparmor.IsEnabled() { container.Context["apparmor_profile"] = "docker-default" } return container }
func (d *driver) setPrivileged(container *libcontainer.Container) error { for _, c := range container.CapabilitiesMask { c.Enabled = true } container.Cgroups.DeviceAccess = true if apparmor.IsEnabled() { container.Context["apparmor_profile"] = "unconfined" } return nil }
func (d *driver) setPrivileged(container *libcontainer.Container) (err error) { container.Capabilities = libcontainer.GetAllCapabilities() container.Cgroups.AllowAllDevices = true hostDeviceNodes, err := devices.GetHostDeviceNodes() if err != nil { return err } container.DeviceNodes = hostDeviceNodes delete(container.Context, "restrictions") if apparmor.IsEnabled() { container.Context["apparmor_profile"] = "unconfined" } return nil }
// New returns the docker default configuration for libcontainer func New() *libcontainer.Container { container := &libcontainer.Container{ CapabilitiesMask: libcontainer.Capabilities{ libcontainer.GetCapability("SETPCAP"), libcontainer.GetCapability("SYS_MODULE"), libcontainer.GetCapability("SYS_RAWIO"), libcontainer.GetCapability("SYS_PACCT"), libcontainer.GetCapability("SYS_ADMIN"), libcontainer.GetCapability("SYS_NICE"), libcontainer.GetCapability("SYS_RESOURCE"), libcontainer.GetCapability("SYS_TIME"), libcontainer.GetCapability("SYS_TTY_CONFIG"), libcontainer.GetCapability("AUDIT_WRITE"), libcontainer.GetCapability("AUDIT_CONTROL"), libcontainer.GetCapability("MAC_OVERRIDE"), libcontainer.GetCapability("MAC_ADMIN"), libcontainer.GetCapability("NET_ADMIN"), libcontainer.GetCapability("MKNOD"), }, Namespaces: libcontainer.Namespaces{ libcontainer.GetNamespace("NEWNS"), libcontainer.GetNamespace("NEWUTS"), libcontainer.GetNamespace("NEWIPC"), libcontainer.GetNamespace("NEWPID"), libcontainer.GetNamespace("NEWNET"), }, Cgroups: &cgroups.Cgroup{ Parent: "docker", DeviceAccess: false, }, Context: libcontainer.Context{}, } container.CapabilitiesMask.Get("MKNOD").Enabled = true if apparmor.IsEnabled() { container.Context["apparmor_profile"] = "docker-default" } return container }