summaryrefslogtreecommitdiff
path: root/pkg/specgen
diff options
context:
space:
mode:
authorOpenShift Merge Robot <openshift-merge-robot@users.noreply.github.com>2020-08-23 17:10:28 -0400
committerGitHub <noreply@github.com>2020-08-23 17:10:28 -0400
commite535f6177571b5828ee536f5b0b54f7d0fc03507 (patch)
tree5d2ddd072fca29ad0d462aed72cc2037c70f7ae4 /pkg/specgen
parent80d2c0135052ee8f93abd59d9e63e5699fb94288 (diff)
parent3848cac86052369c35a76f86a1f8e5471dfdf9e2 (diff)
downloadpodman-e535f6177571b5828ee536f5b0b54f7d0fc03507.tar.gz
podman-e535f6177571b5828ee536f5b0b54f7d0fc03507.tar.bz2
podman-e535f6177571b5828ee536f5b0b54f7d0fc03507.zip
Merge pull request #7274 from rhatdan/caps
In podman 1.* regression on --cap-add
Diffstat (limited to 'pkg/specgen')
-rw-r--r--pkg/specgen/generate/security.go26
1 files changed, 14 insertions, 12 deletions
diff --git a/pkg/specgen/generate/security.go b/pkg/specgen/generate/security.go
index 5e4cc3399..d3e3d9278 100644
--- a/pkg/specgen/generate/security.go
+++ b/pkg/specgen/generate/security.go
@@ -112,7 +112,7 @@ func securityConfigureGenerator(s *specgen.SpecGenerator, g *generate.Generator,
// Pass capRequiredRequested in CapAdd field to normalize capabilities names
capsRequired, err := capabilities.MergeCapabilities(nil, capsRequiredRequested, nil)
if err != nil {
- logrus.Errorf("capabilities requested by user or image are not valid: %q", strings.Join(capsRequired, ","))
+ return errors.Wrapf(err, "capabilities requested by user or image are not valid: %q", strings.Join(capsRequired, ","))
} else {
// Verify all capRequiered are in the capList
for _, cap := range capsRequired {
@@ -129,12 +129,6 @@ func securityConfigureGenerator(s *specgen.SpecGenerator, g *generate.Generator,
}
}
- g.SetProcessNoNewPrivileges(s.NoNewPrivileges)
-
- if err := setupApparmor(s, rtc, g); err != nil {
- return err
- }
-
configSpec := g.Config
configSpec.Process.Capabilities.Bounding = caplist
@@ -142,13 +136,21 @@ func securityConfigureGenerator(s *specgen.SpecGenerator, g *generate.Generator,
configSpec.Process.Capabilities.Effective = caplist
configSpec.Process.Capabilities.Permitted = caplist
configSpec.Process.Capabilities.Inheritable = caplist
- configSpec.Process.Capabilities.Ambient = caplist
} else {
- configSpec.Process.Capabilities.Effective = []string{}
- configSpec.Process.Capabilities.Permitted = []string{}
- configSpec.Process.Capabilities.Inheritable = []string{}
- configSpec.Process.Capabilities.Ambient = []string{}
+ userCaps, err := capabilities.NormalizeCapabilities(s.CapAdd)
+ if err != nil {
+ return errors.Wrapf(err, "capabilities requested by user are not valid: %q", strings.Join(s.CapAdd, ","))
+ }
+ configSpec.Process.Capabilities.Effective = userCaps
+ configSpec.Process.Capabilities.Permitted = userCaps
}
+
+ g.SetProcessNoNewPrivileges(s.NoNewPrivileges)
+
+ if err := setupApparmor(s, rtc, g); err != nil {
+ return err
+ }
+
// HANDLE SECCOMP
if s.SeccompProfilePath != "unconfined" {
seccompConfig, err := getSeccompConfig(s, configSpec, newImage)