diff options
Diffstat (limited to 'cmd/podman')
-rw-r--r-- | cmd/podman/spec.go | 19 |
1 files changed, 10 insertions, 9 deletions
diff --git a/cmd/podman/spec.go b/cmd/podman/spec.go index c5ed2c0d4..e78118b2f 100644 --- a/cmd/podman/spec.go +++ b/cmd/podman/spec.go @@ -124,13 +124,9 @@ func addRlimits(config *createConfig, g *generate.Generator) error { func setupCapabilities(config *createConfig, configSpec *spec.Spec) error { var err error var caplist []string - if config.Privileged { - caplist = caps.GetAllCapabilities() - } else { - caplist, err = caps.TweakCapabilities(configSpec.Process.Capabilities.Bounding, config.CapAdd, config.CapDrop) - if err != nil { - return err - } + caplist, err = caps.TweakCapabilities(configSpec.Process.Capabilities.Bounding, config.CapAdd, config.CapDrop) + if err != nil { + return err } configSpec.Process.Capabilities.Bounding = caplist @@ -163,6 +159,7 @@ func addDevice(g *generate.Generator, device string) error { func createConfigToOCISpec(config *createConfig) (*spec.Spec, error) { cgroupPerm := "ro" g := generate.New() + g.HostSpecific = true if config.Privileged { cgroupPerm = "rw" g.RemoveMount("/sys") @@ -319,8 +316,12 @@ func createConfigToOCISpec(config *createConfig) (*spec.Spec, error) { // HANDLE CAPABILITIES // NOTE: Must happen before SECCOMP - if err := setupCapabilities(config, configSpec); err != nil { - return nil, err + if !config.Privileged { + if err := setupCapabilities(config, configSpec); err != nil { + return nil, err + } + } else { + g.SetupPrivileged(true) } // HANDLE SECCOMP |