idea: set cap_net_bind_service on pledge binary

shoenig / nomad-pledge-driver

Nomad task driver capable of blocking unwanted syscall and filesystem access. Based on the pledge utility for Linux by Justine Tunney

Mozilla Public License 2.0

22 stars 2 forks source link

idea: set cap_net_bind_service on pledge binary #8

Closed shoenig closed 1 year ago

shoenig commented 1 year ago

It helps to have cap_net_bind_service+eip set on the pledge helper executable, we can probably just have the plugin do that on startup. Or maybe just set a plugin attribute with the detected status.

shoenig commented 1 year ago

detection in #12