summaryrefslogtreecommitdiff
path: root/cmd/kpod/spec.go
diff options
context:
space:
mode:
authorDaniel J Walsh <dwalsh@redhat.com>2017-11-03 19:44:23 +0000
committerDaniel J Walsh <dwalsh@redhat.com>2017-11-04 09:07:47 +0000
commit619637a9197877f3bda54648f9fabc4af90cf9c2 (patch)
tree87c2b0e722100c8068333b686b3636d046bd5dfa /cmd/kpod/spec.go
parent098389dc3e7bbba7c266ad24c909f3a5422e2908 (diff)
downloadpodman-619637a9197877f3bda54648f9fabc4af90cf9c2.tar.gz
podman-619637a9197877f3bda54648f9fabc4af90cf9c2.tar.bz2
podman-619637a9197877f3bda54648f9fabc4af90cf9c2.zip
Handle Linux Capabilities from command line
Had to revendor in docker/docker again, which dropped a bunch of packages Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Diffstat (limited to 'cmd/kpod/spec.go')
-rw-r--r--cmd/kpod/spec.go29
1 files changed, 25 insertions, 4 deletions
diff --git a/cmd/kpod/spec.go b/cmd/kpod/spec.go
index d30c0d1a5..6041f301a 100644
--- a/cmd/kpod/spec.go
+++ b/cmd/kpod/spec.go
@@ -6,6 +6,7 @@ import (
"io/ioutil"
"strings"
+ "github.com/docker/docker/daemon/caps"
spec "github.com/opencontainers/runtime-spec/specs-go"
"github.com/pkg/errors"
"github.com/projectatomic/libpod/libpod"
@@ -15,6 +16,25 @@ import (
"golang.org/x/sys/unix"
)
+func setupCapabilities(config *createConfig, configSpec *spec.Spec) error {
+ var err error
+ var caplist []string
+ if config.privileged {
+ caplist = caps.GetAllCapabilities()
+ } else {
+ caplist, err = caps.TweakCapabilities(defaultCapabilities(), config.capAdd, config.capDrop)
+ if err != nil {
+ return err
+ }
+ }
+
+ configSpec.Process.Capabilities.Bounding = caplist
+ configSpec.Process.Capabilities.Permitted = caplist
+ configSpec.Process.Capabilities.Inheritable = caplist
+ configSpec.Process.Capabilities.Effective = caplist
+ return nil
+}
+
// Parses information needed to create a container into an OCI runtime spec
func createConfigToOCISpec(config *createConfig) (*spec.Spec, error) {
configSpec := config.GetDefaultLinuxSpec()
@@ -30,9 +50,6 @@ func createConfigToOCISpec(config *createConfig) (*spec.Spec, error) {
configSpec.Process.Env = config.env
- //TODO
- // Need examples of capacity additions so I can load that properly
-
configSpec.Root.Readonly = config.readOnlyRootfs
configSpec.Hostname = config.hostname
@@ -110,8 +127,12 @@ func createConfigToOCISpec(config *createConfig) (*spec.Spec, error) {
configSpec.Linux.Seccomp = &seccompConfig
}
+ // HANDLE CAPABILITIES
+ if err := setupCapabilities(config, &configSpec); err != nil {
+ return nil, err
+ }
+
/*
- Capabilities: &configSpec.LinuxCapabilities{
// Rlimits []PosixRlimit // Where does this come from
// Type string
// Hard uint64