package entitlements import ( "context" "github.com/containerd/containerd/containers" "github.com/containerd/containerd/oci" specs "github.com/opencontainers/runtime-spec/specs-go" ) // WithInsecureSpec sets spec with All capability. func WithInsecureSpec() oci.SpecOpts { return func(_ context.Context, _ oci.Client, _ *containers.Container, s *specs.Spec) error { addCaps := []string{ "CAP_FSETID", "CAP_KILL", "CAP_FOWNER", "CAP_MKNOD", "CAP_CHOWN", "CAP_DAC_OVERRIDE", "CAP_NET_RAW", "CAP_SETGID", "CAP_SETUID", "CAP_SETPCAP", "CAP_SETFCAP", "CAP_NET_BIND_SERVICE", "CAP_SYS_CHROOT", "CAP_AUDIT_WRITE", "CAP_MAC_ADMIN", "CAP_MAC_OVERRIDE", "CAP_DAC_READ_SEARCH", "CAP_SYS_PTRACE", "CAP_SYS_MODULE", "CAP_SYSLOG", "CAP_SYS_RAWIO", "CAP_SYS_ADMIN", "CAP_LINUX_IMMUTABLE", "CAP_SYS_BOOT", "CAP_SYS_NICE", "CAP_SYS_PACCT", "CAP_SYS_TTY_CONFIG", "CAP_SYS_TIME", "CAP_WAKE_ALARM", "CAP_AUDIT_READ", "CAP_AUDIT_CONTROL", "CAP_SYS_RESOURCE", "CAP_BLOCK_SUSPEND", "CAP_IPC_LOCK", "CAP_IPC_OWNER", "CAP_LEASE", "CAP_NET_ADMIN", "CAP_NET_BROADCAST", } for _, cap := range addCaps { s.Process.Capabilities.Bounding = append(s.Process.Capabilities.Bounding, cap) s.Process.Capabilities.Ambient = append(s.Process.Capabilities.Ambient, cap) s.Process.Capabilities.Effective = append(s.Process.Capabilities.Effective, cap) s.Process.Capabilities.Inheritable = append(s.Process.Capabilities.Inheritable, cap) s.Process.Capabilities.Permitted = append(s.Process.Capabilities.Permitted, cap) } s.Linux.ReadonlyPaths = []string{} s.Linux.MaskedPaths = []string{} s.Process.ApparmorProfile = "" return nil } }