From 88d25fc14ea781b50b6d5e0276f513a7e7fc06c2 Mon Sep 17 00:00:00 2001 From: Felipe Santos Date: Sun, 21 May 2023 10:19:05 -0300 Subject: [PATCH] Add support for CAP_BPF and CAP_PERFMON privileges (#4259) Co-authored-by: Stefan Agner --- supervisor/addons/utils.py | 8 +++++--- supervisor/docker/const.py | 2 ++ 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/supervisor/addons/utils.py b/supervisor/addons/utils.py index d8edef4a4..a68382b78 100644 --- a/supervisor/addons/utils.py +++ b/supervisor/addons/utils.py @@ -44,13 +44,15 @@ def rating_security(addon: AddonModel) -> int: any( privilege in addon.privileged for privilege in ( + Capabilities.BPF, + Capabilities.DAC_READ_SEARCH, Capabilities.NET_ADMIN, Capabilities.NET_RAW, + Capabilities.PERFMON, Capabilities.SYS_ADMIN, - Capabilities.SYS_RAWIO, - Capabilities.SYS_PTRACE, Capabilities.SYS_MODULE, - Capabilities.DAC_READ_SEARCH, + Capabilities.SYS_PTRACE, + Capabilities.SYS_RAWIO, ) ) or addon.with_kernel_modules diff --git a/supervisor/docker/const.py b/supervisor/docker/const.py index fcdc205f2..324def624 100644 --- a/supervisor/docker/const.py +++ b/supervisor/docker/const.py @@ -5,10 +5,12 @@ from enum import Enum class Capabilities(str, Enum): """Linux Capabilities.""" + BPF = "BPF" DAC_READ_SEARCH = "DAC_READ_SEARCH" IPC_LOCK = "IPC_LOCK" NET_ADMIN = "NET_ADMIN" NET_RAW = "NET_RAW" + PERFMON = "PERFMON" SYS_ADMIN = "SYS_ADMIN" SYS_MODULE = "SYS_MODULE" SYS_NICE = "SYS_NICE"