github
/
portainer
mirror of https://github.com/portainer/portainer
1
0
Fork 0
Code Issues Releases Wiki Activity
portainer/app/docker/models/containerCapabilities.js

91 lines
4.9 KiB
JavaScript
Raw Blame History

This file contains ambiguous Unicode characters!

This file contains ambiguous Unicode characters that may be confused with others in your current locale. If your use case is intentional and legitimate, you can safely ignore this warning. Use the Escape button to highlight these characters.

var capDesc = {
SETPCAP: 'Modify process capabilities.',
MKNOD: 'Create special files using mknod(2).',
AUDIT_WRITE: 'Write records to kernel auditing log.',
CHOWN: 'Make arbitrary changes to file UIDs and GIDs (see chown(2)).',
NET_RAW: 'Use RAW and PACKET sockets.',
DAC_OVERRIDE: 'Bypass file read, write, and execute permission checks.',
FOWNER: 'Bypass permission checks on operations that normally require the file system UID of the process to match the UID of the file.',
FSETID: 'Dont clear set-user-ID and set-group-ID permission bits when a file is modified.',
KILL: 'Bypass permission checks for sending signals.',
SETGID: 'Make arbitrary manipulations of process GIDs and supplementary GID list.',
SETUID: 'Make arbitrary manipulations of process UIDs.',
NET_BIND_SERVICE: 'Bind a socket to internet domain privileged ports (port numbers less than 1024).',
SYS_CHROOT: 'Use chroot(2), change root directory.',
SETFCAP: 'Set file capabilities.',
SYS_MODULE: 'Load and unload kernel modules.',
SYS_RAWIO: 'Perform I/O port operations (iopl(2) and ioperm(2)).',
SYS_PACCT: 'Use acct(2), switch process accounting on or off.',
SYS_ADMIN: 'Perform a range of system administration operations.',
SYS_NICE: 'Raise process nice value (nice(2), setpriority(2)) and change the nice value for arbitrary processes.',
SYS_RESOURCE: 'Override resource Limits.',
SYS_TIME: 'Set system clock (settimeofday(2), stime(2), adjtimex(2)); set real-time (hardware) clock.',
SYS_TTY_CONFIG: 'Use vhangup(2); employ various privileged ioctl(2) operations on virtual terminals.',
AUDIT_CONTROL: 'Enable and disable kernel auditing; change auditing filter rules; retrieve auditing status and filtering rules.',
MAC_ADMIN: 'Allow MAC configuration or state changes. Implemented for the Smack LSM.',
MAC_OVERRIDE: 'Override Mandatory Access Control (MAC). Implemented for the Smack Linux Security Module (LSM).',
NET_ADMIN: 'Perform various network-related operations.',
SYSLOG: 'Perform privileged syslog(2) operations.',
DAC_READ_SEARCH: 'Bypass file read permission checks and directory read and execute permission checks.',
LINUX_IMMUTABLE: 'Set the FS_APPEND_FL and FS_IMMUTABLE_FL i-node flags.',
NET_BROADCAST: 'Make socket broadcasts, and listen to multicasts.',
IPC_LOCK: 'Lock memory (mlock(2), mlockall(2), mmap(2), shmctl(2)).',
IPC_OWNER: 'Bypass permission checks for operations on System V IPC objects.',
SYS_PTRACE: 'Trace arbitrary processes using ptrace(2).',
SYS_BOOT: 'Use reboot(2) and kexec_load(2), reboot and load a new kernel for later execution.',
LEASE: 'Establish leases on arbitrary files (see fcntl(2)).',
WAKE_ALARM: 'Trigger something that will wake up the system.',
BLOCK_SUSPEND: 'Employ features that can block system suspend.',
};
export function ContainerCapabilities() {
// all capabilities can be found at https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities
return [
new ContainerCapability('SETPCAP', true),
new ContainerCapability('MKNOD', true),
new ContainerCapability('AUDIT_WRITE', true),
new ContainerCapability('CHOWN', true),
new ContainerCapability('NET_RAW', true),
new ContainerCapability('DAC_OVERRIDE', true),
new ContainerCapability('FOWNER', true),
new ContainerCapability('FSETID', true),
new ContainerCapability('KILL', true),
new ContainerCapability('SETGID', true),
new ContainerCapability('SETUID', true),
new ContainerCapability('NET_BIND_SERVICE', true),
new ContainerCapability('SYS_CHROOT', true),
new ContainerCapability('SETFCAP', true),
new ContainerCapability('SYS_MODULE', false),
new ContainerCapability('SYS_RAWIO', false),
new ContainerCapability('SYS_PACCT', false),
new ContainerCapability('SYS_ADMIN', false),
new ContainerCapability('SYS_NICE', false),
new ContainerCapability('SYS_RESOURCE', false),
new ContainerCapability('SYS_TIME', false),
new ContainerCapability('SYS_TTY_CONFIG', false),
new ContainerCapability('AUDIT_CONTROL', false),
new ContainerCapability('MAC_ADMIN', false),
new ContainerCapability('MAC_OVERRIDE', false),
new ContainerCapability('NET_ADMIN', false),
new ContainerCapability('SYSLOG', false),
new ContainerCapability('DAC_READ_SEARCH', false),
new ContainerCapability('LINUX_IMMUTABLE', false),
new ContainerCapability('NET_BROADCAST', false),
new ContainerCapability('IPC_LOCK', false),
new ContainerCapability('IPC_OWNER', false),
new ContainerCapability('SYS_PTRACE', false),
new ContainerCapability('SYS_BOOT', false),
new ContainerCapability('LEASE', false),
new ContainerCapability('WAKE_ALARM', false),
new ContainerCapability('BLOCK_SUSPEND', false),
].sort(function (a, b) {
return a.capability < b.capability ? -1 : 1;
});
}
export function ContainerCapability(cap, allowed) {
this.capability = cap;
this.allowed = allowed;
this.description = capDesc[cap];
}
Reference in New Issue View Git Blame Copy Permalink