diff options
Diffstat (limited to 'cmd/kpod/spec.go')
-rw-r--r-- | cmd/kpod/spec.go | 29 |
1 files changed, 25 insertions, 4 deletions
diff --git a/cmd/kpod/spec.go b/cmd/kpod/spec.go index b990d8463..54a532803 100644 --- a/cmd/kpod/spec.go +++ b/cmd/kpod/spec.go @@ -6,6 +6,7 @@ import ( "io/ioutil" "strings" + "github.com/docker/docker/daemon/caps" spec "github.com/opencontainers/runtime-spec/specs-go" "github.com/pkg/errors" "github.com/projectatomic/libpod/libpod" @@ -14,6 +15,25 @@ import ( "golang.org/x/sys/unix" ) +func setupCapabilities(config *createConfig, configSpec *spec.Spec) error { + var err error + var caplist []string + if config.privileged { + caplist = caps.GetAllCapabilities() + } else { + caplist, err = caps.TweakCapabilities(defaultCapabilities(), config.capAdd, config.capDrop) + if err != nil { + return err + } + } + + configSpec.Process.Capabilities.Bounding = caplist + configSpec.Process.Capabilities.Permitted = caplist + configSpec.Process.Capabilities.Inheritable = caplist + configSpec.Process.Capabilities.Effective = caplist + return nil +} + // Parses information needed to create a container into an OCI runtime spec func createConfigToOCISpec(config *createConfig) (*spec.Spec, error) { configSpec := config.GetDefaultLinuxSpec() @@ -29,9 +49,6 @@ func createConfigToOCISpec(config *createConfig) (*spec.Spec, error) { configSpec.Process.Env = config.env - //TODO - // Need examples of capacity additions so I can load that properly - configSpec.Root.Readonly = config.readOnlyRootfs configSpec.Hostname = config.hostname @@ -109,8 +126,12 @@ func createConfigToOCISpec(config *createConfig) (*spec.Spec, error) { configSpec.Linux.Seccomp = &seccompConfig } + // HANDLE CAPABILITIES + if err := setupCapabilities(config, &configSpec); err != nil { + return nil, err + } + /* - Capabilities: &configSpec.LinuxCapabilities{ // Rlimits []PosixRlimit // Where does this come from // Type string // Hard uint64 |