Skip to content

fix: default to restricted OCI capability set#786

Open
crosbymichael wants to merge 1 commit into
apple:mainfrom
crosbymichael:all-caps
Open

fix: default to restricted OCI capability set#786
crosbymichael wants to merge 1 commit into
apple:mainfrom
crosbymichael:all-caps

Conversation

@crosbymichael

Copy link
Copy Markdown
Contributor

Changes the default Linux capability set for container processes from .allCapabilities to .defaultOCICapabilities, making the library secure-by-default. Callers that genuinely need elevated capabilities must now opt in explicitly.

Changes the default Linux capability set for container processes from
`.allCapabilities` to `.defaultOCICapabilities`, making the library
secure-by-default. Callers that genuinely need elevated capabilities must now
opt in explicitly.

Signed-off-by: michael_crosby <michael_crosby@apple.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants