Skip to content

Commit

Permalink
main: Add settings for privileged containers
Browse files Browse the repository at this point in the history 
Signed-off-by: Thomas Hipp <thomas.hipp@canonical.com>
  • Loading branch information
@monstermunchkin
monstermunchkin committed Jun 1, 2021
1 parent f5b65cc commit be87201
Showing 1 changed file with 11 additions and 0 deletions.
11 changes: 11 additions & 0 deletions distrobuilder/main.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -572,6 +572,17 @@ fix_systemd_override_unit() {
[ "${systemd_version}" -ge 247 ] && echo "ProtectProc=default" >> "${dropin_dir}/lxc-service.conf"
[ "${systemd_version}" -ge 232 ] && echo "ProtectControlGroups=no" >> "${dropin_dir}/lxc-service.conf"
[ "${systemd_version}" -ge 232 ] && echo "ProtectKernelTunables=no" >> "${dropin_dir}/lxc-service.conf"
# Additional settings for privileged containers
if grep -q 4294967295 /proc/self/uid_map; then
echo "ProtectHome=no" >> "${dropin_dir}/lxc-service.conf"
echo "ProtectSystem=no" >> "${dropin_dir}/lxc-service.conf"
echo "PrivateDevices=no" >> "${dropin_dir}/lxc-service.conf"
echo "PrivateTmp=no" >> "${dropin_dir}/lxc-service.conf"
[ "${systemd_version}" -ge 244 ] && echo "ProtectKernelLogs=no" >> "${dropin_dir}/lxc-service.conf"
[ "${systemd_version}" -ge 232 ] && echo "ProtectKernelModules=no" >> "${dropin_dir}/lxc-service.conf"
echo "ReadWritePaths=" >> "${dropin_dir}/lxc-service.conf"
fi
}
# fix_systemd_mask_audit masks the systemd-journal-audit socket
Expand Down

0 comments on commit be87201

Please sign in to comment.