Differential D21570 Diff 62266 sysutils/docker-freebsd/files/patch-vendor_github.com_moby_buildkit_util_entitlements_security__freebsd.go
Changeset View
Changeset View
Standalone View
Standalone View
sysutils/docker-freebsd/files/patch-vendor_github.com_moby_buildkit_util_entitlements_security__freebsd.go
- This file was added.
Property | Old Value | New Value |
---|---|---|
fbsd:nokeywords | null | yes \ No newline at end of property |
svn:eol-style | null | native \ No newline at end of property |
svn:mime-type | null | text/plain \ No newline at end of property |
--- vendor/github.com/moby/buildkit/util/entitlements/security_freebsd.go.orig 2019-06-24 18:24:33 UTC | |||||
+++ vendor/github.com/moby/buildkit/util/entitlements/security_freebsd.go | |||||
@@ -0,0 +1,67 @@ | |||||
+package entitlements | |||||
+ | |||||
+import ( | |||||
+ "context" | |||||
+ | |||||
+ "github.com/containerd/containerd/containers" | |||||
+ "github.com/containerd/containerd/oci" | |||||
+ specs "github.com/opencontainers/runtime-spec/specs-go" | |||||
+) | |||||
+ | |||||
+// WithInsecureSpec sets spec with All capability. | |||||
+func WithInsecureSpec() oci.SpecOpts { | |||||
+ return func(_ context.Context, _ oci.Client, _ *containers.Container, s *specs.Spec) error { | |||||
+ addCaps := []string{ | |||||
+ "CAP_FSETID", | |||||
+ "CAP_KILL", | |||||
+ "CAP_FOWNER", | |||||
+ "CAP_MKNOD", | |||||
+ "CAP_CHOWN", | |||||
+ "CAP_DAC_OVERRIDE", | |||||
+ "CAP_NET_RAW", | |||||
+ "CAP_SETGID", | |||||
+ "CAP_SETUID", | |||||
+ "CAP_SETPCAP", | |||||
+ "CAP_SETFCAP", | |||||
+ "CAP_NET_BIND_SERVICE", | |||||
+ "CAP_SYS_CHROOT", | |||||
+ "CAP_AUDIT_WRITE", | |||||
+ "CAP_MAC_ADMIN", | |||||
+ "CAP_MAC_OVERRIDE", | |||||
+ "CAP_DAC_READ_SEARCH", | |||||
+ "CAP_SYS_PTRACE", | |||||
+ "CAP_SYS_MODULE", | |||||
+ "CAP_SYSLOG", | |||||
+ "CAP_SYS_RAWIO", | |||||
+ "CAP_SYS_ADMIN", | |||||
+ "CAP_LINUX_IMMUTABLE", | |||||
+ "CAP_SYS_BOOT", | |||||
+ "CAP_SYS_NICE", | |||||
+ "CAP_SYS_PACCT", | |||||
+ "CAP_SYS_TTY_CONFIG", | |||||
+ "CAP_SYS_TIME", | |||||
+ "CAP_WAKE_ALARM", | |||||
+ "CAP_AUDIT_READ", | |||||
+ "CAP_AUDIT_CONTROL", | |||||
+ "CAP_SYS_RESOURCE", | |||||
+ "CAP_BLOCK_SUSPEND", | |||||
+ "CAP_IPC_LOCK", | |||||
+ "CAP_IPC_OWNER", | |||||
+ "CAP_LEASE", | |||||
+ "CAP_NET_ADMIN", | |||||
+ "CAP_NET_BROADCAST", | |||||
+ } | |||||
+ for _, cap := range addCaps { | |||||
+ s.Process.Capabilities.Bounding = append(s.Process.Capabilities.Bounding, cap) | |||||
+ s.Process.Capabilities.Ambient = append(s.Process.Capabilities.Ambient, cap) | |||||
+ s.Process.Capabilities.Effective = append(s.Process.Capabilities.Effective, cap) | |||||
+ s.Process.Capabilities.Inheritable = append(s.Process.Capabilities.Inheritable, cap) | |||||
+ s.Process.Capabilities.Permitted = append(s.Process.Capabilities.Permitted, cap) | |||||
+ } | |||||
+ s.Linux.ReadonlyPaths = []string{} | |||||
+ s.Linux.MaskedPaths = []string{} | |||||
+ s.Process.ApparmorProfile = "" | |||||
+ | |||||
+ return nil | |||||
+ } | |||||
+} |