diff options
author | Daniel J Walsh <dwalsh@redhat.com> | 2020-04-30 08:40:01 -0400 |
---|---|---|
committer | Daniel J Walsh <dwalsh@redhat.com> | 2020-05-01 15:00:26 -0400 |
commit | 4a2765c4989df88681c18333c1ae45017e09613a (patch) | |
tree | bcdabbece6bb22b63e8c74daf1f9b191b1820c05 /vendor/github.com | |
parent | 730fbc76284fd14749863ee160e6548577e7b180 (diff) | |
download | podman-4a2765c4989df88681c18333c1ae45017e09613a.tar.gz podman-4a2765c4989df88681c18333c1ae45017e09613a.tar.bz2 podman-4a2765c4989df88681c18333c1ae45017e09613a.zip |
Properly handle default capabilities listed in containers.conf
If user/admin specifies a different list of default capabilties
we need to honor these.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Diffstat (limited to 'vendor/github.com')
-rw-r--r-- | vendor/github.com/containers/buildah/imagebuildah/executor.go | 5 | ||||
-rw-r--r-- | vendor/github.com/containers/common/pkg/config/config.go | 28 |
2 files changed, 6 insertions, 27 deletions
diff --git a/vendor/github.com/containers/buildah/imagebuildah/executor.go b/vendor/github.com/containers/buildah/imagebuildah/executor.go index a0debc460..02123c822 100644 --- a/vendor/github.com/containers/buildah/imagebuildah/executor.go +++ b/vendor/github.com/containers/buildah/imagebuildah/executor.go @@ -113,7 +113,10 @@ func NewExecutor(store storage.Store, options BuildOptions, mainNode *parser.Nod if err != nil { return nil, err } - capabilities := defaultContainerConfig.Capabilities("", options.AddCapabilities, options.DropCapabilities) + capabilities, err := defaultContainerConfig.Capabilities("", options.AddCapabilities, options.DropCapabilities) + if err != nil { + return nil, err + } devices := []configs.Device{} for _, device := range append(defaultContainerConfig.Containers.Devices, options.Devices...) { diff --git a/vendor/github.com/containers/common/pkg/config/config.go b/vendor/github.com/containers/common/pkg/config/config.go index bddbee876..0f17c27c9 100644 --- a/vendor/github.com/containers/common/pkg/config/config.go +++ b/vendor/github.com/containers/common/pkg/config/config.go @@ -709,7 +709,7 @@ func (c *Config) GetDefaultEnv() []string { // Capabilities returns the capabilities parses the Add and Drop capability // list from the default capabiltiies for the container -func (c *Config) Capabilities(user string, addCapabilities, dropCapabilities []string) []string { +func (c *Config) Capabilities(user string, addCapabilities, dropCapabilities []string) ([]string, error) { userNotRoot := func(user string) bool { if user == "" || user == "root" || user == "0" { @@ -718,36 +718,12 @@ func (c *Config) Capabilities(user string, addCapabilities, dropCapabilities []s return true } - var caps []string defaultCapabilities := c.Containers.DefaultCapabilities if userNotRoot(user) { defaultCapabilities = []string{} } - mapCap := make(map[string]bool, len(defaultCapabilities)) - for _, c := range addCapabilities { - if strings.ToLower(c) == "all" { - defaultCapabilities = capabilities.AllCapabilities() - addCapabilities = nil - break - } - } - - for _, c := range append(defaultCapabilities, addCapabilities...) { - mapCap[c] = true - } - for _, c := range dropCapabilities { - if "all" == strings.ToLower(c) { - return caps - } - mapCap[c] = false - } - for cap, add := range mapCap { - if add { - caps = append(caps, cap) - } - } - return caps + return capabilities.MergeCapabilities(defaultCapabilities, addCapabilities, dropCapabilities) } // Device parses device mapping string to a src, dest & permissions string |