No SCC allows cap IPC_LOCK

[smarterclayton]

I didn't realize this, but SCC capabilities = nil means "can't request the cap". So any Kube example (cassandra) that requests IPC_LOCK for mmap() is broken because none of our SCC's allow that. I had assumed that we would allow ["*"] to enumerate all possible caps.

@pweil- I see several kube charts and examples that assume IPC_LOCK can be had.

[mfojtik]

@php-coder FYI

[smarterclayton]

This is a gap in SCC and in PSP if reasonable caps can't be accessed by default. We could enumerate, but I don't know why an admin wouldn't be able to run all caps.

[pweil-]

We could enumerate, but I don't know why an admin wouldn't be able to run all caps.

a * option makes sense to me for this and should be a very easy enhancement. @php-coder it should be the default for the privileged SCC. I would not add it to any others unless someone has a reason that IPC_LOCK should be considered reasonable. It allows you to prevent memory from being paged.