2 files changed, 76 insertions, 7 deletions

diff --git a/libpod/kube.go b/libpod/kube.go
index 05a6537c4..c164ca0c5 100644
--- a/libpod/kube.go
+++ b/libpod/kube.go
@@ -11,6 +11,7 @@ import (
 	"github.com/containers/libpod/pkg/util"
 	"github.com/cri-o/ocicni/pkg/ocicni"
 	"github.com/opencontainers/runtime-spec/specs-go"
+	"github.com/opencontainers/runtime-tools/generate"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 	"k8s.io/api/core/v1"
@@ -335,20 +336,69 @@ func libpodMountsToKubeVolumeMounts(c *Container) ([]v1.VolumeMount, error) {
 	return vms, nil
 }
 
+func determineCapAddDropFromCapabilities(defaultCaps, containerCaps []string) *v1.Capabilities {
+	var (
+		drop []v1.Capability
+		add  []v1.Capability
+	)
+	// Find caps in the defaultCaps but not in the container's
+	// those indicate a dropped cap
+	for _, capability := range defaultCaps {
+		if !util.StringInSlice(capability, containerCaps) {
+			cap := v1.Capability(capability)
+			drop = append(drop, cap)
+		}
+	}
+	// Find caps in the container but not in the defaults; those indicate
+	// an added cap
+	for _, capability := range containerCaps {
+		if !util.StringInSlice(capability, defaultCaps) {
+			cap := v1.Capability(capability)
+			add = append(add, cap)
+		}
+	}
+
+	return &v1.Capabilities{
+		Add:  add,
+		Drop: drop,
+	}
+}
+
+func capAddDrop(caps *specs.LinuxCapabilities) (*v1.Capabilities, error) {
+	g, err := generate.New("linux")
+	if err != nil {
+		return nil, err
+	}
+	// Combine all the default capabilities into a slice
+	defaultCaps := append(g.Config.Process.Capabilities.Ambient, g.Config.Process.Capabilities.Bounding...)
+	defaultCaps = append(defaultCaps, g.Config.Process.Capabilities.Effective...)
+	defaultCaps = append(defaultCaps, g.Config.Process.Capabilities.Inheritable...)
+	defaultCaps = append(defaultCaps, g.Config.Process.Capabilities.Permitted...)
+
+	// Combine all the container's capabilities into a slic
+	containerCaps := append(caps.Ambient, caps.Bounding...)
+	containerCaps = append(containerCaps, caps.Effective...)
+	containerCaps = append(containerCaps, caps.Inheritable...)
+	containerCaps = append(containerCaps, caps.Permitted...)
+
+	calculatedCaps := determineCapAddDropFromCapabilities(defaultCaps, containerCaps)
+	return calculatedCaps, nil
+}
+
 // generateKubeSecurityContext generates a securityContext based on the existing container
 func generateKubeSecurityContext(c *Container) (*v1.SecurityContext, error) {
 	priv := c.Privileged()
 	ro := c.IsReadOnly()
 	allowPrivEscalation := !c.Spec().Process.NoNewPrivileges
 
-	// TODO enable use of capabilities when we can figure out how to extract cap-add|remove
-	//caps := v1.Capabilities{
-	//	//Add: c.config.Spec.Process.Capabilities
-	//}
+	newCaps, err := capAddDrop(c.config.Spec.Process.Capabilities)
+	if err != nil {
+		return nil, err
+	}
+
 	sc := v1.SecurityContext{
-		// TODO enable use of capabilities when we can figure out how to extract cap-add|remove
-		//Capabilities: &caps,
-		Privileged: &priv,
+		Capabilities: newCaps,
+		Privileged:   &priv,
 		// TODO How do we know if selinux were passed into podman
 		//SELinuxOptions:
 		// RunAsNonRoot is an optional parameter; our first implementations should be root only; however
diff --git a/libpod/options.go b/libpod/options.go
index 352e6a506..9aa657ddd 100644
--- a/libpod/options.go
+++ b/libpod/options.go
@@ -29,9 +29,12 @@ func WithStorageConfig(config storage.StoreOptions) RuntimeOption {
 			return ErrRuntimeFinalized
 		}
 
+		setField := false
+
 		if config.RunRoot != "" {
 			rt.config.StorageConfig.RunRoot = config.RunRoot
 			rt.configuredFrom.storageRunRootSet = true
+			setField = true
 		}
 
 		if config.GraphRoot != "" {
@@ -42,16 +45,20 @@ func WithStorageConfig(config storage.StoreOptions) RuntimeOption {
 			// of the c/storage store by default
 			rt.config.StaticDir = filepath.Join(config.GraphRoot, "libpod")
 			rt.configuredFrom.libpodStaticDirSet = true
+
+			setField = true
 		}
 
 		if config.GraphDriverName != "" {
 			rt.config.StorageConfig.GraphDriverName = config.GraphDriverName
 			rt.configuredFrom.storageGraphDriverSet = true
+			setField = true
 		}
 
 		if config.GraphDriverOptions != nil {
 			rt.config.StorageConfig.GraphDriverOptions = make([]string, len(config.GraphDriverOptions))
 			copy(rt.config.StorageConfig.GraphDriverOptions, config.GraphDriverOptions)
+			setField = true
 		}
 
 		if config.UIDMap != nil {
@@ -64,6 +71,18 @@ func WithStorageConfig(config storage.StoreOptions) RuntimeOption {
 			copy(rt.config.StorageConfig.GIDMap, config.GIDMap)
 		}
 
+		// If any one of runroot, graphroot, graphdrivername,
+		// or graphdriveroptions are set, then GraphRoot and RunRoot
+		// must be set
+		if setField {
+			if rt.config.StorageConfig.GraphRoot == "" {
+				rt.config.StorageConfig.GraphRoot = storage.DefaultStoreOptions.GraphRoot
+			}
+			if rt.config.StorageConfig.RunRoot == "" {
+				rt.config.StorageConfig.RunRoot = storage.DefaultStoreOptions.RunRoot
+			}
+		}
+
 		return nil
 	}
 }