diff options
| author | Daniel J Walsh <dwalsh@redhat.com> | 2020-02-27 14:19:07 -0400 |
|---|---|---|
| committer | Daniel J Walsh <dwalsh@redhat.com> | 2020-03-02 16:37:32 -0500 |
| commit | b163640c61dcb10953949a1ee28599d8a19fd046 (patch) | |
| tree | e7b56307cc2778c6cab81f658515ea145d990979 /pkg/spec/spec.go | |
| parent | 47c4ea39196cedac87e7a4e4c1ead54ed9d7ed50 (diff) | |
| download | podman-b163640c61dcb10953949a1ee28599d8a19fd046.tar.gz podman-b163640c61dcb10953949a1ee28599d8a19fd046.tar.bz2 podman-b163640c61dcb10953949a1ee28599d8a19fd046.zip | |
Allow devs to set labels in container images for default capabilities.
This patch allows users to specify the list of capabilities required
to run their container image.
Setting a image/container label "io.containers.capabilities=setuid,setgid"
tells podman that the contained image should work fine with just these two
capabilties, instead of running with the default capabilities, podman will
launch the container with just these capabilties.
If the user or image specified capabilities that are not in the default set,
the container will print an error message and will continue to run with the
default capabilities.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Diffstat (limited to 'pkg/spec/spec.go')
| -rw-r--r-- | pkg/spec/spec.go | 14 |
1 files changed, 14 insertions, 0 deletions
diff --git a/pkg/spec/spec.go b/pkg/spec/spec.go index a4ae22efd..0e5c3f429 100644 --- a/pkg/spec/spec.go +++ b/pkg/spec/spec.go @@ -3,12 +3,14 @@ package createconfig import ( "strings" + "github.com/containers/common/pkg/capabilities" "github.com/containers/libpod/libpod" libpodconfig "github.com/containers/libpod/libpod/config" "github.com/containers/libpod/libpod/define" "github.com/containers/libpod/pkg/cgroups" "github.com/containers/libpod/pkg/rootless" "github.com/containers/libpod/pkg/sysinfo" + "github.com/containers/libpod/pkg/util" "github.com/docker/go-units" "github.com/opencontainers/runc/libcontainer/user" spec "github.com/opencontainers/runtime-spec/specs-go" @@ -327,6 +329,18 @@ func (config *CreateConfig) createConfigToOCISpec(runtime *libpod.Runtime, userM } configSpec := g.Config + // If the container image specifies an label with a + // capabilities.ContainerImageLabel then split the comma separated list + // of capabilities and record them. This list indicates the only + // capabilities, required to run the container. + var capRequired []string + for key, val := range config.Labels { + if util.StringInSlice(key, capabilities.ContainerImageLabels) { + capRequired = strings.Split(val, ",") + } + } + config.Security.CapRequired = capRequired + if err := config.Security.ConfigureGenerator(&g, &config.User); err != nil { return nil, err } |