Gate name_to_handle_at by CAP_SYS_ADMIN not CAP_DAC_READ_SEARCH

Only open_by_handle_at requires CAP_DAC_READ_SEARCH. This allows systemd to run with only `--cap-add SYS_ADMIN` rather than having to also add `--cap-add DAC_READ_SEARCH` as well which it does not really need. Signed-off-by: Justin Cormack <[email protected]>
tiborvass · Aug 10, 2016 · c1ca124 · c1ca124
1 parent 2f167a7
commit c1ca124
Showing 1 changed file with 5 additions and 5 deletions.
diff --git a/profiles/seccomp/seccomp_default.go b/profiles/seccomp/seccomp_default.go
@@ -1667,11 +1667,6 @@ func DefaultProfile(rs *specs.Spec) *types.Seccomp {
 		switch cap {
 		case "CAP_DAC_READ_SEARCH":
 			syscalls = append(syscalls, []*types.Syscall{
-				{
-					Name:   "name_to_handle_at",
-					Action: types.ActAllow,
-					Args:   []*types.Arg{},
-				},
 				{
 					Name:   "open_by_handle_at",
 					Action: types.ActAllow,
@@ -1706,6 +1701,11 @@ func DefaultProfile(rs *specs.Spec) *types.Seccomp {
 					Action: types.ActAllow,
 					Args:   []*types.Arg{},
 				},
+				{
+					Name:   "name_to_handle_at",
+					Action: types.ActAllow,
+					Args:   []*types.Arg{},
+				},
 				{
 					Name:   "perf_event_open",
 					Action: types.ActAllow,