@@ -39,180 +39,17 @@ func New() Generator {
3939 OS: runtime.GOOS,
4040 Arch: runtime.GOARCH,
4141 },
42- Root: rspec.Root{
43- Path: "",
44- Readonly: false,
45- },
4642 Process: rspec.Process{
47- Terminal: false,
48- User: rspec.User{},
43+ User: rspec.User{
44+ UID: 0,
45+ GID: 0,
46+ },
4947 Args: []string{
5048 "sh",
5149 },
52- Env: []string{
53- "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
54- "TERM=xterm",
55- },
5650 Cwd: "/",
57- Capabilities: &rspec.LinuxCapabilities{
58- Bounding: []string{
59- "CAP_CHOWN",
60- "CAP_DAC_OVERRIDE",
61- "CAP_FSETID",
62- "CAP_FOWNER",
63- "CAP_MKNOD",
64- "CAP_NET_RAW",
65- "CAP_SETGID",
66- "CAP_SETUID",
67- "CAP_SETFCAP",
68- "CAP_SETPCAP",
69- "CAP_NET_BIND_SERVICE",
70- "CAP_SYS_CHROOT",
71- "CAP_KILL",
72- "CAP_AUDIT_WRITE",
73- },
74- Permitted: []string{
75- "CAP_CHOWN",
76- "CAP_DAC_OVERRIDE",
77- "CAP_FSETID",
78- "CAP_FOWNER",
79- "CAP_MKNOD",
80- "CAP_NET_RAW",
81- "CAP_SETGID",
82- "CAP_SETUID",
83- "CAP_SETFCAP",
84- "CAP_SETPCAP",
85- "CAP_NET_BIND_SERVICE",
86- "CAP_SYS_CHROOT",
87- "CAP_KILL",
88- "CAP_AUDIT_WRITE",
89- },
90- Inheritable: []string{
91- "CAP_CHOWN",
92- "CAP_DAC_OVERRIDE",
93- "CAP_FSETID",
94- "CAP_FOWNER",
95- "CAP_MKNOD",
96- "CAP_NET_RAW",
97- "CAP_SETGID",
98- "CAP_SETUID",
99- "CAP_SETFCAP",
100- "CAP_SETPCAP",
101- "CAP_NET_BIND_SERVICE",
102- "CAP_SYS_CHROOT",
103- "CAP_KILL",
104- "CAP_AUDIT_WRITE",
105- },
106- Effective: []string{
107- "CAP_CHOWN",
108- "CAP_DAC_OVERRIDE",
109- "CAP_FSETID",
110- "CAP_FOWNER",
111- "CAP_MKNOD",
112- "CAP_NET_RAW",
113- "CAP_SETGID",
114- "CAP_SETUID",
115- "CAP_SETFCAP",
116- "CAP_SETPCAP",
117- "CAP_NET_BIND_SERVICE",
118- "CAP_SYS_CHROOT",
119- "CAP_KILL",
120- "CAP_AUDIT_WRITE",
121- },
122- Ambient: []string{
123- "CAP_CHOWN",
124- "CAP_DAC_OVERRIDE",
125- "CAP_FSETID",
126- "CAP_FOWNER",
127- "CAP_MKNOD",
128- "CAP_NET_RAW",
129- "CAP_SETGID",
130- "CAP_SETUID",
131- "CAP_SETFCAP",
132- "CAP_SETPCAP",
133- "CAP_NET_BIND_SERVICE",
134- "CAP_SYS_CHROOT",
135- "CAP_KILL",
136- "CAP_AUDIT_WRITE",
137- },
138- },
139- Rlimits: []rspec.LinuxRlimit{
140- {
141- Type: "RLIMIT_NOFILE",
142- Hard: uint64(1024),
143- Soft: uint64(1024),
144- },
145- },
146- },
147- Hostname: "mrsdalloway",
148- Mounts: []rspec.Mount{
149- {
150- Destination: "/proc",
151- Type: "proc",
152- Source: "proc",
153- Options: nil,
154- },
155- {
156- Destination: "/dev",
157- Type: "tmpfs",
158- Source: "tmpfs",
159- Options: []string{"nosuid", "strictatime", "mode=755", "size=65536k"},
160- },
161- {
162- Destination: "/dev/pts",
163- Type: "devpts",
164- Source: "devpts",
165- Options: []string{"nosuid", "noexec", "newinstance", "ptmxmode=0666", "mode=0620", "gid=5"},
166- },
167- {
168- Destination: "/dev/shm",
169- Type: "tmpfs",
170- Source: "shm",
171- Options: []string{"nosuid", "noexec", "nodev", "mode=1777", "size=65536k"},
172- },
173- {
174- Destination: "/dev/mqueue",
175- Type: "mqueue",
176- Source: "mqueue",
177- Options: []string{"nosuid", "noexec", "nodev"},
178- },
179- {
180- Destination: "/sys",
181- Type: "sysfs",
182- Source: "sysfs",
183- Options: []string{"nosuid", "noexec", "nodev", "ro"},
184- },
185- },
186- Linux: &rspec.Linux{
187- Resources: &rspec.LinuxResources{
188- Devices: []rspec.LinuxDeviceCgroup{
189- {
190- Allow: false,
191- Access: "rwm",
192- },
193- },
194- },
195- Namespaces: []rspec.LinuxNamespace{
196- {
197- Type: "pid",
198- },
199- {
200- Type: "network",
201- },
202- {
203- Type: "ipc",
204- },
205- {
206- Type: "uts",
207- },
208- {
209- Type: "mount",
210- },
211- },
212- Devices: []rspec.LinuxDevice{},
21351 },
21452 }
215- spec.Linux.Seccomp = seccomp.DefaultProfile(&spec)
21653 return Generator{
21754 spec: &spec,
21855 }
0 commit comments