container: allow container admins the sysadm capability in user

namespaces

Signed-off-by: Kenton Groombridge <me@concord.sh>
This commit is contained in:
Kenton Groombridge 2022-12-07 10:49:39 -05:00
parent 810cc48197
commit 22ece2b57e

View File

@ -2518,7 +2518,7 @@ interface(`container_admin',`
allow $1 container_engine_domain:process { ptrace signal_perms };
ps_process_pattern($1, container_engine_domain)
allow $1 self:cap_userns { kill sys_ptrace };
allow $1 self:cap_userns { kill sys_ptrace sys_admin };
files_search_var_lib($1)
admin_pattern($1, container_var_lib_t)