diff options
author | Daniel J Walsh <dwalsh@redhat.com> | 2017-11-03 19:44:23 +0000 |
---|---|---|
committer | Daniel J Walsh <dwalsh@redhat.com> | 2017-11-04 09:07:47 +0000 |
commit | 619637a9197877f3bda54648f9fabc4af90cf9c2 (patch) | |
tree | 87c2b0e722100c8068333b686b3636d046bd5dfa /cmd/kpod/spec.go | |
parent | 098389dc3e7bbba7c266ad24c909f3a5422e2908 (diff) | |
download | podman-619637a9197877f3bda54648f9fabc4af90cf9c2.tar.gz podman-619637a9197877f3bda54648f9fabc4af90cf9c2.tar.bz2 podman-619637a9197877f3bda54648f9fabc4af90cf9c2.zip |
Handle Linux Capabilities from command line
Had to revendor in docker/docker again, which dropped a bunch of packages
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Diffstat (limited to 'cmd/kpod/spec.go')
-rw-r--r-- | cmd/kpod/spec.go | 29 |
1 files changed, 25 insertions, 4 deletions
diff --git a/cmd/kpod/spec.go b/cmd/kpod/spec.go index d30c0d1a5..6041f301a 100644 --- a/cmd/kpod/spec.go +++ b/cmd/kpod/spec.go @@ -6,6 +6,7 @@ import ( "io/ioutil" "strings" + "github.com/docker/docker/daemon/caps" spec "github.com/opencontainers/runtime-spec/specs-go" "github.com/pkg/errors" "github.com/projectatomic/libpod/libpod" @@ -15,6 +16,25 @@ import ( "golang.org/x/sys/unix" ) +func setupCapabilities(config *createConfig, configSpec *spec.Spec) error { + var err error + var caplist []string + if config.privileged { + caplist = caps.GetAllCapabilities() + } else { + caplist, err = caps.TweakCapabilities(defaultCapabilities(), config.capAdd, config.capDrop) + if err != nil { + return err + } + } + + configSpec.Process.Capabilities.Bounding = caplist + configSpec.Process.Capabilities.Permitted = caplist + configSpec.Process.Capabilities.Inheritable = caplist + configSpec.Process.Capabilities.Effective = caplist + return nil +} + // Parses information needed to create a container into an OCI runtime spec func createConfigToOCISpec(config *createConfig) (*spec.Spec, error) { configSpec := config.GetDefaultLinuxSpec() @@ -30,9 +50,6 @@ func createConfigToOCISpec(config *createConfig) (*spec.Spec, error) { configSpec.Process.Env = config.env - //TODO - // Need examples of capacity additions so I can load that properly - configSpec.Root.Readonly = config.readOnlyRootfs configSpec.Hostname = config.hostname @@ -110,8 +127,12 @@ func createConfigToOCISpec(config *createConfig) (*spec.Spec, error) { configSpec.Linux.Seccomp = &seccompConfig } + // HANDLE CAPABILITIES + if err := setupCapabilities(config, &configSpec); err != nil { + return nil, err + } + /* - Capabilities: &configSpec.LinuxCapabilities{ // Rlimits []PosixRlimit // Where does this come from // Type string // Hard uint64 |