vendor/github.com/moby/buildkit/util/entitlements/security_linux.go - third_party/github.com/docker/docker - Git at Google

 package entitlements

 import (
 	"context"

 	"github.com/containerd/containerd/containers"
 	"github.com/containerd/containerd/oci"
 	specs "github.com/opencontainers/runtime-spec/specs-go"
 )

 // WithInsecureSpec sets spec with All capability.
 func WithInsecureSpec() oci.SpecOpts {
 	return func(_ context.Context, _ oci.Client, _ *containers.Container, s *specs.Spec) error {
 		addCaps := []string{
 			"CAP_FSETID",
 			"CAP_KILL",
 			"CAP_FOWNER",
 			"CAP_MKNOD",
 			"CAP_CHOWN",
 			"CAP_DAC_OVERRIDE",
 			"CAP_NET_RAW",
 			"CAP_SETGID",
 			"CAP_SETUID",
 			"CAP_SETPCAP",
 			"CAP_SETFCAP",
 			"CAP_NET_BIND_SERVICE",
 			"CAP_SYS_CHROOT",
 			"CAP_AUDIT_WRITE",
 			"CAP_MAC_ADMIN",
 			"CAP_MAC_OVERRIDE",
 			"CAP_DAC_READ_SEARCH",
 			"CAP_SYS_PTRACE",
 			"CAP_SYS_MODULE",
 			"CAP_SYSLOG",
 			"CAP_SYS_RAWIO",
 			"CAP_SYS_ADMIN",
 			"CAP_LINUX_IMMUTABLE",
 			"CAP_SYS_BOOT",
 			"CAP_SYS_NICE",
 			"CAP_SYS_PACCT",
 			"CAP_SYS_TTY_CONFIG",
 			"CAP_SYS_TIME",
 			"CAP_WAKE_ALARM",
 			"CAP_AUDIT_READ",
 			"CAP_AUDIT_CONTROL",
 			"CAP_SYS_RESOURCE",
 			"CAP_BLOCK_SUSPEND",
 			"CAP_IPC_LOCK",
 			"CAP_IPC_OWNER",
 			"CAP_LEASE",
 			"CAP_NET_ADMIN",
 			"CAP_NET_BROADCAST",
 		}
 		for _, cap := range addCaps {
 			s.Process.Capabilities.Bounding = append(s.Process.Capabilities.Bounding, cap)
 			s.Process.Capabilities.Ambient = append(s.Process.Capabilities.Ambient, cap)
 			s.Process.Capabilities.Effective = append(s.Process.Capabilities.Effective, cap)
 			s.Process.Capabilities.Inheritable = append(s.Process.Capabilities.Inheritable, cap)
 			s.Process.Capabilities.Permitted = append(s.Process.Capabilities.Permitted, cap)
 		}
 		s.Linux.ReadonlyPaths = []string{}
 		s.Linux.MaskedPaths = []string{}
 		s.Process.ApparmorProfile = ""

 		return nil
 	}
 }
	package entitlements

	import (
	"context"

	"github.com/containerd/containerd/containers"
	"github.com/containerd/containerd/oci"
	specs "github.com/opencontainers/runtime-spec/specs-go"
	)

	// WithInsecureSpec sets spec with All capability.
	func WithInsecureSpec() oci.SpecOpts {
	return func(_ context.Context, _ oci.Client, _ containers.Container, s specs.Spec) error {
	addCaps := []string{
	"CAP_FSETID",
	"CAP_KILL",
	"CAP_FOWNER",
	"CAP_MKNOD",
	"CAP_CHOWN",
	"CAP_DAC_OVERRIDE",
	"CAP_NET_RAW",
	"CAP_SETGID",
	"CAP_SETUID",
	"CAP_SETPCAP",
	"CAP_SETFCAP",
	"CAP_NET_BIND_SERVICE",
	"CAP_SYS_CHROOT",
	"CAP_AUDIT_WRITE",
	"CAP_MAC_ADMIN",
	"CAP_MAC_OVERRIDE",
	"CAP_DAC_READ_SEARCH",
	"CAP_SYS_PTRACE",
	"CAP_SYS_MODULE",
	"CAP_SYSLOG",
	"CAP_SYS_RAWIO",
	"CAP_SYS_ADMIN",
	"CAP_LINUX_IMMUTABLE",
	"CAP_SYS_BOOT",
	"CAP_SYS_NICE",
	"CAP_SYS_PACCT",
	"CAP_SYS_TTY_CONFIG",
	"CAP_SYS_TIME",
	"CAP_WAKE_ALARM",
	"CAP_AUDIT_READ",
	"CAP_AUDIT_CONTROL",
	"CAP_SYS_RESOURCE",
	"CAP_BLOCK_SUSPEND",
	"CAP_IPC_LOCK",
	"CAP_IPC_OWNER",
	"CAP_LEASE",
	"CAP_NET_ADMIN",
	"CAP_NET_BROADCAST",
	}
	for _, cap := range addCaps {
	s.Process.Capabilities.Bounding = append(s.Process.Capabilities.Bounding, cap)
	s.Process.Capabilities.Ambient = append(s.Process.Capabilities.Ambient, cap)
	s.Process.Capabilities.Effective = append(s.Process.Capabilities.Effective, cap)
	s.Process.Capabilities.Inheritable = append(s.Process.Capabilities.Inheritable, cap)
	s.Process.Capabilities.Permitted = append(s.Process.Capabilities.Permitted, cap)
	}
	s.Linux.ReadonlyPaths = []string{}
	s.Linux.MaskedPaths = []string{}
	s.Process.ApparmorProfile = ""

	return nil
	}
	}