opentrace · patrick.sirref.org/shelter@aefe38f

patrick.sirref.org / shelter

fork atom

this repo has no description

fork atom

opentrace

Patrick Ferris 10 months ago aefe38f7 b5093053

+7 -3

2 changed files

expand all

unified split

src

lib

shelter

runc.ml

store.ml

+7 -2

src/lib/shelter/runc.ml

··· 71 71 (* Use chroot. *) 72 72 "CAP_KILL"; 73 73 (* Bypass permission checks for sending signals. *) 74 - "CAP_AUDIT_WRITE" 74 + "CAP_AUDIT_WRITE"; 75 75 (* Write records to kernel auditing log. *) 76 + "CAP_BPF"; 77 + "CAP_PERFMON"; 78 + (* BPF operations *) 76 79 (* Allowed by Docker, but disabled here (because we use host networking): 77 80 "CAP_NET_RAW"; (* Use RAW and PACKET sockets / bind to any address *) 78 81 "CAP_NET_BIND_SERVICE"; (* Bind a socket to Internet domain privileged ports. *) 79 - *); 82 + *) 80 83 ] 81 84 82 85 let seccomp_syscalls ~fast_sync = ··· 216 219 ~ty:"sysfs" ~src:"sysfs" 217 220 ~options:[ "nosuid"; "noexec"; "nodev"; "ro" ] 218 221 :: mount "/sys/fs/cgroup" ~ty:"cgroup" ~src:"cgroup" 222 + ~options:[ "ro"; "nosuid"; "noexec"; "nodev" ] 223 + :: mount "/sys/kernel/debug" ~ty:"debugfs" ~src:"debug" 219 224 ~options:[ "ro"; "nosuid"; "noexec"; "nodev" ] 220 225 :: mount "/dev/shm" ~ty:"tmpfs" ~src:"shm" 221 226 ~options:

-1

src/lib/shelter/store.ml

··· 155 155 156 156 let with_tool t cid fn = 157 157 let ds = Datasets.tool t.pool (Cid.to_string cid) in 158 - Fun.protect ~finally:(fun () -> unmount_dataset t ds) @@ fun () -> 159 158 mount_dataset t ds; 160 159 fn ("/" ^ (ds :> string)) 161 160