summaryrefslogtreecommitdiff
path: root/pkg/spec/spec.go
diff options
context:
space:
mode:
Diffstat (limited to 'pkg/spec/spec.go')
-rw-r--r--pkg/spec/spec.go14
1 files changed, 14 insertions, 0 deletions
diff --git a/pkg/spec/spec.go b/pkg/spec/spec.go
index a4ae22efd..0e5c3f429 100644
--- a/pkg/spec/spec.go
+++ b/pkg/spec/spec.go
@@ -3,12 +3,14 @@ package createconfig
import (
"strings"
+ "github.com/containers/common/pkg/capabilities"
"github.com/containers/libpod/libpod"
libpodconfig "github.com/containers/libpod/libpod/config"
"github.com/containers/libpod/libpod/define"
"github.com/containers/libpod/pkg/cgroups"
"github.com/containers/libpod/pkg/rootless"
"github.com/containers/libpod/pkg/sysinfo"
+ "github.com/containers/libpod/pkg/util"
"github.com/docker/go-units"
"github.com/opencontainers/runc/libcontainer/user"
spec "github.com/opencontainers/runtime-spec/specs-go"
@@ -327,6 +329,18 @@ func (config *CreateConfig) createConfigToOCISpec(runtime *libpod.Runtime, userM
}
configSpec := g.Config
+ // If the container image specifies an label with a
+ // capabilities.ContainerImageLabel then split the comma separated list
+ // of capabilities and record them. This list indicates the only
+ // capabilities, required to run the container.
+ var capRequired []string
+ for key, val := range config.Labels {
+ if util.StringInSlice(key, capabilities.ContainerImageLabels) {
+ capRequired = strings.Split(val, ",")
+ }
+ }
+ config.Security.CapRequired = capRequired
+
if err := config.Security.ConfigureGenerator(&g, &config.User); err != nil {
return nil, err
}