Docker/portainer
Docker/portainer
1
0
Fork 0
mirror of https://github.com/portainer/portainer.git synced 2025-07-19 13:29:41 +02:00
Code Issues Releases Activity
portainer/app/docker/models/containerCapabilities.js
Chaim Lev-Ari cf5056d9c0
chore(project): add prettier for code format (#3645) 
* chore(project): install prettier and lint-staged

* chore(project): apply prettier to html too

* chore(project): git ignore eslintcache

* chore(project): add a comment about format script

* chore(prettier): update printWidth

* chore(prettier): remove useTabs option

* chore(prettier): add HTML validation

* refactor(prettier): fix closing tags

* feat(prettier): define angular parser for html templates

* style(prettier): run prettier on codebase

Co-authored-by: Anthony Lapenna <lapenna.anthony@gmail.com>
2020-04-11 09:54:53 +12:00

90 lines
4.9 KiB
JavaScript
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

var capDesc = {
SETPCAP: 'Modify process capabilities.',
MKNOD: 'Create special files using mknod(2).',
AUDIT_WRITE: 'Write records to kernel auditing log.',
CHOWN: 'Make arbitrary changes to file UIDs and GIDs (see chown(2)).',
NET_RAW: 'Use RAW and PACKET sockets.',
DAC_OVERRIDE: 'Bypass file read, write, and execute permission checks.',
FOWNER: 'Bypass permission checks on operations that normally require the file system UID of the process to match the UID of the file.',
FSETID: 'Dont clear set-user-ID and set-group-ID permission bits when a file is modified.',
KILL: 'Bypass permission checks for sending signals.',
SETGID: 'Make arbitrary manipulations of process GIDs and supplementary GID list.',
SETUID: 'Make arbitrary manipulations of process UIDs.',
NET_BIND_SERVICE: 'Bind a socket to internet domain privileged ports (port numbers less than 1024).',
SYS_CHROOT: 'Use chroot(2), change root directory.',
SETFCAP: 'Set file capabilities.',
SYS_MODULE: 'Load and unload kernel modules.',
SYS_RAWIO: 'Perform I/O port operations (iopl(2) and ioperm(2)).',
SYS_PACCT: 'Use acct(2), switch process accounting on or off.',
SYS_ADMIN: 'Perform a range of system administration operations.',
SYS_NICE: 'Raise process nice value (nice(2), setpriority(2)) and change the nice value for arbitrary processes.',
SYS_RESOURCE: 'Override resource Limits.',
SYS_TIME: 'Set system clock (settimeofday(2), stime(2), adjtimex(2)); set real-time (hardware) clock.',
SYS_TTY_CONFIG: 'Use vhangup(2); employ various privileged ioctl(2) operations on virtual terminals.',
AUDIT_CONTROL: 'Enable and disable kernel auditing; change auditing filter rules; retrieve auditing status and filtering rules.',
MAC_ADMIN: 'Allow MAC configuration or state changes. Implemented for the Smack LSM.',
MAC_OVERRIDE: 'Override Mandatory Access Control (MAC). Implemented for the Smack Linux Security Module (LSM).',
NET_ADMIN: 'Perform various network-related operations.',
SYSLOG: 'Perform privileged syslog(2) operations.',
DAC_READ_SEARCH: 'Bypass file read permission checks and directory read and execute permission checks.',
LINUX_IMMUTABLE: 'Set the FS_APPEND_FL and FS_IMMUTABLE_FL i-node flags.',
NET_BROADCAST: 'Make socket broadcasts, and listen to multicasts.',
IPC_LOCK: 'Lock memory (mlock(2), mlockall(2), mmap(2), shmctl(2)).',
IPC_OWNER: 'Bypass permission checks for operations on System V IPC objects.',
SYS_PTRACE: 'Trace arbitrary processes using ptrace(2).',
SYS_BOOT: 'Use reboot(2) and kexec_load(2), reboot and load a new kernel for later execution.',
LEASE: 'Establish leases on arbitrary files (see fcntl(2)).',
WAKE_ALARM: 'Trigger something that will wake up the system.',
BLOCK_SUSPEND: 'Employ features that can block system suspend.',
};
export function ContainerCapabilities() {
// all capabilities can be found at https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities
return [
new ContainerCapability('SETPCAP', true),
new ContainerCapability('MKNOD', true),
new ContainerCapability('AUDIT_WRITE', true),
new ContainerCapability('CHOWN', true),
new ContainerCapability('NET_RAW', true),
new ContainerCapability('DAC_OVERRIDE', true),
new ContainerCapability('FOWNER', true),
new ContainerCapability('FSETID', true),
new ContainerCapability('KILL', true),
new ContainerCapability('SETGID', true),
new ContainerCapability('SETUID', true),
new ContainerCapability('NET_BIND_SERVICE', true),
new ContainerCapability('SYS_CHROOT', true),
new ContainerCapability('SETFCAP', true),
new ContainerCapability('SYS_MODULE', false),
new ContainerCapability('SYS_RAWIO', false),
new ContainerCapability('SYS_PACCT', false),
new ContainerCapability('SYS_ADMIN', false),
new ContainerCapability('SYS_NICE', false),
new ContainerCapability('SYS_RESOURCE', false),
new ContainerCapability('SYS_TIME', false),
new ContainerCapability('SYS_TTY_CONFIG', false),
new ContainerCapability('AUDIT_CONTROL', false),
new ContainerCapability('MAC_ADMIN', false),
new ContainerCapability('MAC_OVERRIDE', false),
new ContainerCapability('NET_ADMIN', false),
new ContainerCapability('SYSLOG', false),
new ContainerCapability('DAC_READ_SEARCH', false),
new ContainerCapability('LINUX_IMMUTABLE', false),
new ContainerCapability('NET_BROADCAST', false),
new ContainerCapability('IPC_LOCK', false),
new ContainerCapability('IPC_OWNER', false),
new ContainerCapability('SYS_PTRACE', false),
new ContainerCapability('SYS_BOOT', false),
new ContainerCapability('LEASE', false),
new ContainerCapability('WAKE_ALARM', false),
new ContainerCapability('BLOCK_SUSPEND', false),
].sort(function (a, b) {
return a.capability < b.capability ? -1 : 1;
});
}
export function ContainerCapability(cap, allowed) {
this.capability = cap;
this.allowed = allowed;
this.description = capDesc[cap];
}
View git blame Copy permalink