1c7cb1f52e
virtiofsd does not need CAP_DAC_READ_SEARCH because it already has the more powerful CAP_DAC_OVERRIDE. Drop it from the list of capabilities. This is important because container runtimes may not include CAP_DAC_READ_SEARCH by default. This patch allows virtiofsd to reduce its capabilities when running inside a Docker container. Note that CAP_DAC_READ_SEARCH may be necessary again in the future if virtiofsd starts using open_by_handle_at(2). Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Message-Id: <20200727190223.422280-2-stefanha@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com> |
||
|---|---|---|
| .. | ||
| 50-qemu-virtiofsd.json.in | ||
| buffer.c | ||
| fuse_common.h | ||
| fuse_i.h | ||
| fuse_log.c | ||
| fuse_log.h | ||
| fuse_lowlevel.c | ||
| fuse_lowlevel.h | ||
| fuse_misc.h | ||
| fuse_opt.c | ||
| fuse_opt.h | ||
| fuse_signals.c | ||
| fuse_virtio.c | ||
| fuse_virtio.h | ||
| helper.c | ||
| meson.build | ||
| passthrough_helpers.h | ||
| passthrough_ll.c | ||
| passthrough_seccomp.c | ||
| passthrough_seccomp.h | ||