patrick.sirref.org / shelter
this repo has no description
fork atom

opentrace

Patrick Ferris aefe38f7 b5093053

options
unified split
Changed files
+7 -3
src
lib
shelter
runc.ml
store.ml
+7 -2
src/lib/shelter/runc.ml 
···

       
71

       
71

       
 

       
      (* Use chroot. *)


     

       
72

       
72

       
 

       
      "CAP_KILL";


     

       
73

       
73

       
 

       
      (* Bypass permission checks for sending signals. *)


     

       
74

       

       
-

       
      "CAP_AUDIT_WRITE"


     

       

       
74

       
+

       
      "CAP_AUDIT_WRITE";


     

       
75

       
75

       
 

       
      (* Write records to kernel auditing log. *)


     

       

       
76

       
+

       
      "CAP_BPF";


     

       

       
77

       
+

       
      "CAP_PERFMON";


     

       

       
78

       
+

       
      (* BPF operations *)


     

       
76

       
79

       
 

       
      (* Allowed by Docker, but disabled here (because we use host networking):


     

       
77

       
80

       
 

       
    "CAP_NET_RAW";              (* Use RAW and PACKET sockets / bind to any address *)


     

       
78

       
81

       
 

       
    "CAP_NET_BIND_SERVICE";     (* Bind a socket to Internet domain privileged ports. *)


     

       
79

       

       
-

       
    *);


     

       

       
82

       
+

       
    *)


     

       
80

       
83

       
 

       
    ]


     

       
81

       
84

       
 

       



     

       
82

       
85

       
 

       
  let seccomp_syscalls ~fast_sync =


     
···

       
216

       
219

       
 

       
                  ~ty:"sysfs" ~src:"sysfs"


     

       
217

       
220

       
 

       
                  ~options:[ "nosuid"; "noexec"; "nodev"; "ro" ]


     

       
218

       
221

       
 

       
             :: mount "/sys/fs/cgroup" ~ty:"cgroup" ~src:"cgroup"


     

       

       
222

       
+

       
                  ~options:[ "ro"; "nosuid"; "noexec"; "nodev" ]


     

       

       
223

       
+

       
             :: mount "/sys/kernel/debug" ~ty:"debugfs" ~src:"debug"


     

       
219

       
224

       
 

       
                  ~options:[ "ro"; "nosuid"; "noexec"; "nodev" ]


     

       
220

       
225

       
 

       
             :: mount "/dev/shm" ~ty:"tmpfs" ~src:"shm"


     

       
221

       
226

       
 

       
                  ~options:
-1
src/lib/shelter/store.ml 
···

       
155

       
155

       
 

       



     

       
156

       
156

       
 

       
  let with_tool t cid fn =


     

       
157

       
157

       
 

       
    let ds = Datasets.tool t.pool (Cid.to_string cid) in


     

       
158

       

       
-

       
    Fun.protect ~finally:(fun () -> unmount_dataset t ds) @@ fun () ->


     

       
159

       
158

       
 

       
    mount_dataset t ds;


     

       
160

       
159

       
 

       
    fn ("/" ^ (ds :> string))


     

       
161

       
160