Make raw sockets a toggleable feature disabled by default.

PiperOrigin-RevId: 245511019 Change-Id: Ia9562a301b46458988a6a1f0bbd5f07cbfcb0615
author: Kevin Krakauer <krakauer@google.com> 2019-04-26 16:50:35 -0700
committer: Shentubot <shentubot@google.com> 2019-04-26 16:51:46 -0700
commit: 43dff57b878edb5502daf486cbc13b058780dd56 (patch)
tree: 5e01968cd8067277c0f17340505e57e98d977b2a /runsc/boot/config.go
parent: 5749f64314d38516badec156ab048d3523294a81 (diff)
1 files changed, 6 insertions, 0 deletions
diff --git a/runsc/boot/config.go b/runsc/boot/config.go
index 2523077fd..ba47effc1 100644
--- a/runsc/boot/config.go
+++ b/runsc/boot/config.go
@@ -175,6 +175,11 @@ type Config struct {
 	// Network indicates what type of network to use.
 	Network NetworkType
 
+	// EnableRaw indicates whether raw sockets should be enabled. Raw
+	// sockets are disabled by stripping CAP_NET_RAW from the list of
+	// capabilities.
+	EnableRaw bool
+
 	// GSO indicates that generic segmentation offload is enabled.
 	GSO bool
 
@@ -235,6 +240,7 @@ func (c *Config) ToFlags() []string {
 		"--watchdog-action=" + c.WatchdogAction.String(),
 		"--panic-signal=" + strconv.Itoa(c.PanicSignal),
 		"--profile=" + strconv.FormatBool(c.ProfileEnable),
+		"--net-raw=" + strconv.FormatBool(c.EnableRaw),
 	}
 	if c.TestOnlyAllowRunAsCurrentUserWithoutChroot {
 		// Only include if set since it is never to be used by users.
author	Kevin Krakauer <krakauer@google.com>	2019-04-26 16:50:35 -0700
committer	Shentubot <shentubot@google.com>	2019-04-26 16:51:46 -0700
commit	43dff57b878edb5502daf486cbc13b058780dd56 (patch)
tree	5e01968cd8067277c0f17340505e57e98d977b2a /runsc/boot/config.go
parent	5749f64314d38516badec156ab048d3523294a81 (diff)