commit 1c2ddccf865455c55e0b877171bc57ec25bfe4bc parent 196bb1f7401c986192ec095401c58a5566f0d4d8 Author: ccx <ccx@te2000.cz> Date: Sun, 19 May 2024 22:24:29 +0000 Use different caps per privileged container Diffstat:
| M | zsh-functions/confz_site_containers_init | | | 13 | ++++++++++--- |
1 file changed, 10 insertions(+), 3 deletions(-)
diff --git a/zsh-functions/confz_site_containers_init b/zsh-functions/confz_site_containers_init @@ -244,10 +244,17 @@ confz_site_container_services_check() { require site_containers_user user=ccx :containers_dir :svscan_dir #require container_service_sysroot :containers_dir :svscan_dir \ # image_name=alpine-dev - local name - for name in wpa_supplicant dhcpcd unbound tinc; do + local -A privileged_containers + local name linux_caps + privileged_containers=( + wpa_supplicant '^CAP_NET_ADMIN,CAP_NET_RAW' + dhcpcd '^CAP_NET_ADMIN,CAP_NET_RAW,CAP_NET_BIND' + unbound '' + tinc '^CAP_NET_ADMIN' + ) + for name linux_caps in "${(@kv)privileged_containers}"; do require site_containers_user_single :containers_dir :svscan_dir \ - linux_caps='^CAP_NET_ADMIN' \ + linux_caps="^$linux_caps" \ user=$name container_name=$name image_name=alpine-$name done }