This repository has no description
opentrace
author
Patrick Ferris
date
(Apr 22, 2025, 8:41 AM +0100)
commit
aefe38f7
aefe38f7aaa696a85c3e0b6ece7d70de6a444f3e
parent
b5093053
b5093053f3a3b5ac40841972a3eb660f3fe9d981
+7
-3
+7
-2
src/lib/shelter/runc.ml
+7
-2
src/lib/shelter/runc.ml
···
71
71
(* Use chroot. *)
72
72
"CAP_KILL";
73
73
(* Bypass permission checks for sending signals. *)
74
-
"CAP_AUDIT_WRITE"
74
+
"CAP_AUDIT_WRITE";
75
75
(* Write records to kernel auditing log. *)
76
+
"CAP_BPF";
77
+
"CAP_PERFMON";
78
+
(* BPF operations *)
76
79
(* Allowed by Docker, but disabled here (because we use host networking):
77
80
"CAP_NET_RAW"; (* Use RAW and PACKET sockets / bind to any address *)
78
81
"CAP_NET_BIND_SERVICE"; (* Bind a socket to Internet domain privileged ports. *)
79
-
*);
82
+
*)
80
83
]
81
84
82
85
let seccomp_syscalls ~fast_sync =
···
216
219
~ty:"sysfs" ~src:"sysfs"
217
220
~options:[ "nosuid"; "noexec"; "nodev"; "ro" ]
218
221
:: mount "/sys/fs/cgroup" ~ty:"cgroup" ~src:"cgroup"
222
+
~options:[ "ro"; "nosuid"; "noexec"; "nodev" ]
223
+
:: mount "/sys/kernel/debug" ~ty:"debugfs" ~src:"debug"
219
224
~options:[ "ro"; "nosuid"; "noexec"; "nodev" ]
220
225
:: mount "/dev/shm" ~ty:"tmpfs" ~src:"shm"
221
226
~options: