mirror of
https://github.com/siderolabs/talos.git
synced 2025-10-07 05:31:20 +02:00
cc6e37a47f
Use process wrapper introduced in #6814 to drop capabilities. This change also means the capabilities are dropped per process level and not for PID 1 (machined), which allows us to drop capabilities per process. Signed-off-by: Noel Georgi <git@frezbo.dev>
33 lines
930 B
Go
33 lines
930 B
Go
// This Source Code Form is subject to the terms of the Mozilla Public
|
|
// License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
// file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
|
|
|
// Package capability provides utility functions to work with capabilities.
|
|
package capability
|
|
|
|
import (
|
|
"strings"
|
|
|
|
"kernel.org/pub/linux/libs/security/libcap/cap"
|
|
|
|
"github.com/siderolabs/talos/pkg/machinery/constants"
|
|
)
|
|
|
|
// AllGrantableCapabilities returns list of capabilities that can be granted to the container based on
|
|
// process bounding capabilities.
|
|
func AllGrantableCapabilities() []string {
|
|
capabilities := []string{}
|
|
|
|
for v := cap.Value(0); v < cap.MaxBits(); v++ {
|
|
if set, _ := cap.GetBound(v); set { //nolint:errcheck
|
|
if _, ok := constants.DefaultDroppedCapabilities[v.String()]; ok {
|
|
continue
|
|
}
|
|
|
|
capabilities = append(capabilities, strings.ToUpper(v.String()))
|
|
}
|
|
}
|
|
|
|
return capabilities
|
|
}
|