b2bec9806f
These lists have been in the codebase for a very long time, and have been unused for a large portion of that time -- specconv doesn't generate them and the only user of these flags has been tests (which doesn't inspire much confidence). In addition, we had an incorrect implementation of a white-list policy. This wasn't exploitable because all of our users explicitly specify "deny all" as the first rule, but it was a pretty glaring issue that came from the "feature" that users can select whether they prefer a white- or black- list. Fix this by always writing a deny-all rule (which is what our users were doing anyway, to work around this bug). This is one of many changes needed to clean up the devices cgroup code. Signed-off-by: Aleksa Sarai <asarai@suse.de> |
||
|---|---|---|
| .. | ||
| checkpoint_test.go | ||
| doc.go | ||
| exec_test.go | ||
| execin_test.go | ||
| init_test.go | ||
| seccomp_test.go | ||
| template_test.go | ||
| utils_test.go | ||