Prevent CAP_NET_RAW from appearing in exec

'docker exec' was getting CAP_NET_RAW even when --net-raw=false because it was not filtered out from when copying container's capabilities. PiperOrigin-RevId: 272260451
author: Fabricio Voznika <fvoznika@google.com> 2019-10-01 11:48:24 -0700
committer: gVisor bot <gvisor-bot@google.com> 2019-10-01 11:49:49 -0700
commit: 0b02c3d5e5bae87f5cdbf4ae20dad8344bef32c2 (patch)
tree: a5c60e3e55bbfc6807eabd8a219318d6446d9cd4 /runsc/specutils/BUILD
parent: 53cc72da90f5b5a76b024b47fe4e38a81b495eb4 (diff)
1 files changed, 1 insertions, 0 deletions
diff --git a/runsc/specutils/BUILD b/runsc/specutils/BUILD
index fbfb8e2f8..fa58313a0 100644
--- a/runsc/specutils/BUILD
+++ b/runsc/specutils/BUILD
@@ -13,6 +13,7 @@ go_library(
     visibility = ["//:sandbox"],
     deps = [
         "//pkg/abi/linux",
+        "//pkg/bits",
         "//pkg/log",
         "//pkg/sentry/kernel/auth",
         "@com_github_cenkalti_backoff//:go_default_library",
author	Fabricio Voznika <fvoznika@google.com>	2019-10-01 11:48:24 -0700
committer	gVisor bot <gvisor-bot@google.com>	2019-10-01 11:49:49 -0700
commit	0b02c3d5e5bae87f5cdbf4ae20dad8344bef32c2 (patch)
tree	a5c60e3e55bbfc6807eabd8a219318d6446d9cd4 /runsc/specutils/BUILD
parent	53cc72da90f5b5a76b024b47fe4e38a81b495eb4 (diff)