5 files changed, 50 insertions, 141 deletions
diff --git a/pkg/capabilities/capabilities.go b/pkg/capabilities/capabilities.go
deleted file mode 100644
index ea22498b8..000000000
--- a/pkg/capabilities/capabilities.go
+++ /dev/null
@@ -1,129 +0,0 @@
-package capabilities
-
-// Copyright 2013-2018 Docker, Inc.
-
-// NOTE: this package has been copied from github.com/docker/docker but been
-//       changed significantly to fit the needs of libpod.
-
-import (
-	"strings"
-
-	"github.com/containers/libpod/pkg/util"
-	"github.com/pkg/errors"
-	"github.com/syndtr/gocapability/capability"
-)
-
-var (
-	// Used internally and populated during init().
-	capabilityList []string
-
-	// ErrUnknownCapability is thrown when an unknown capability is processed.
-	ErrUnknownCapability = errors.New("unknown capability")
-)
-
-// All is a special value used to add/drop all known capababilities.
-// Useful on the CLI for `--cap-add=all` etc.
-const All = "ALL"
-
-func init() {
-	last := capability.CAP_LAST_CAP
-	// hack for RHEL6 which has no /proc/sys/kernel/cap_last_cap
-	if last == capability.Cap(63) {
-		last = capability.CAP_BLOCK_SUSPEND
-	}
-	for _, cap := range capability.List() {
-		if cap > last {
-			continue
-		}
-		capabilityList = append(capabilityList, "CAP_"+strings.ToUpper(cap.String()))
-	}
-}
-
-// AllCapabilities returns all known capabilities.
-func AllCapabilities() []string {
-	return capabilityList
-}
-
-// normalizeCapabilities normalizes caps by adding a "CAP_" prefix (if not yet
-// present).
-func normalizeCapabilities(caps []string) ([]string, error) {
-	normalized := make([]string, len(caps))
-	for i, c := range caps {
-		c = strings.ToUpper(c)
-		if c == All {
-			normalized = append(normalized, c)
-			continue
-		}
-		if !strings.HasPrefix(c, "CAP_") {
-			c = "CAP_" + c
-		}
-		if !util.StringInSlice(c, capabilityList) {
-			return nil, errors.Wrapf(ErrUnknownCapability, "%q", c)
-		}
-		normalized[i] = c
-	}
-	return normalized, nil
-}
-
-// ValidateCapabilities validates if caps only contains valid capabilities.
-func ValidateCapabilities(caps []string) error {
-	for _, c := range caps {
-		if !util.StringInSlice(c, capabilityList) {
-			return errors.Wrapf(ErrUnknownCapability, "%q", c)
-		}
-	}
-	return nil
-}
-
-// MergeCapabilities computes a set of capabilities by adding capapbitilities
-// to or dropping them from base.
-//
-// Note that "ALL" will cause all known capabilities to be added/dropped but
-// the ones specified to be dropped/added.
-func MergeCapabilities(base, adds, drops []string) ([]string, error) {
-	if len(adds) == 0 && len(drops) == 0 {
-		// Nothing to tweak; we're done
-		return base, nil
-	}
-
-	capDrop, err := normalizeCapabilities(drops)
-	if err != nil {
-		return nil, err
-	}
-	capAdd, err := normalizeCapabilities(adds)
-	if err != nil {
-		return nil, err
-	}
-
-	// Make sure that capDrop and capAdd are distinct sets.
-	for _, drop := range capDrop {
-		if util.StringInSlice(drop, capAdd) {
-			return nil, errors.Errorf("capability %q cannot be dropped and added", drop)
-		}
-	}
-
-	var caps []string
-
-	switch {
-	case util.StringInSlice(All, capAdd):
-		// Add all capabilities except ones on capDrop
-		for _, c := range capabilityList {
-			if !util.StringInSlice(c, capDrop) {
-				caps = append(caps, c)
-			}
-		}
-	case util.StringInSlice(All, capDrop):
-		// "Drop" all capabilities; use what's in capAdd instead
-		caps = capAdd
-	default:
-		// First drop some capabilities
-		for _, c := range base {
-			if !util.StringInSlice(c, capDrop) {
-				caps = append(caps, c)
-			}
-		}
-		// Then add the list of capabilities from capAdd
-		caps = append(caps, capAdd...)
-	}
-	return caps, nil
-}
diff --git a/pkg/spec/createconfig.go b/pkg/spec/createconfig.go
index 02678a687..1d9633bb3 100644
--- a/pkg/spec/createconfig.go
+++ b/pkg/spec/createconfig.go
@@ -112,6 +112,7 @@ type NetworkConfig struct {
 type SecurityConfig struct {
 	CapAdd                  []string // cap-add
 	CapDrop                 []string // cap-drop
+	CapRequired             []string // cap-required
 	LabelOpts               []string //SecurityOpts
 	NoNewPrivs              bool     //SecurityOpts
 	ApparmorProfile         string   //SecurityOpts
diff --git a/pkg/spec/security.go b/pkg/spec/security.go
index 3bad9f97a..ca025eb3e 100644
--- a/pkg/spec/security.go
+++ b/pkg/spec/security.go
@@ -4,11 +4,13 @@ import (
 	"fmt"
 	"strings"
 
+	"github.com/containers/common/pkg/capabilities"
 	"github.com/containers/libpod/libpod"
-	"github.com/containers/libpod/pkg/capabilities"
+	"github.com/containers/libpod/pkg/util"
 	"github.com/opencontainers/runtime-tools/generate"
 	"github.com/opencontainers/selinux/go-selinux/label"
 	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
 )
 
 // ToCreateOptions convert the SecurityConfig to a slice of container create
@@ -113,28 +115,49 @@ func (c *SecurityConfig) ConfigureGenerator(g *generate.Generator, user *UserCon
 
 	configSpec := g.Config
 	var err error
-	var caplist []string
+	var defaultCaplist []string
 	bounding := configSpec.Process.Capabilities.Bounding
 	if useNotRoot(user.User) {
-		configSpec.Process.Capabilities.Bounding = caplist
+		configSpec.Process.Capabilities.Bounding = defaultCaplist
 	}
-	caplist, err = capabilities.MergeCapabilities(configSpec.Process.Capabilities.Bounding, c.CapAdd, c.CapDrop)
+	defaultCaplist, err = capabilities.MergeCapabilities(configSpec.Process.Capabilities.Bounding, c.CapAdd, c.CapDrop)
 	if err != nil {
 		return err
 	}
 
-	configSpec.Process.Capabilities.Bounding = caplist
-	configSpec.Process.Capabilities.Permitted = caplist
-	configSpec.Process.Capabilities.Inheritable = caplist
-	configSpec.Process.Capabilities.Effective = caplist
-	configSpec.Process.Capabilities.Ambient = caplist
+	privCapRequired := []string{}
+
+	if !c.Privileged && len(c.CapRequired) > 0 {
+		// Pass CapRequired in CapAdd field to normalize capabilties names
+		capRequired, err := capabilities.MergeCapabilities(nil, c.CapRequired, nil)
+		if err != nil {
+			logrus.Errorf("capabilties requested by user or image are not valid: %q", strings.Join(c.CapRequired, ","))
+		} else {
+			// Verify all capRequiered are in the defaultCapList
+			for _, cap := range capRequired {
+				if !util.StringInSlice(cap, defaultCaplist) {
+					privCapRequired = append(privCapRequired, cap)
+				}
+			}
+		}
+		if len(privCapRequired) == 0 {
+			defaultCaplist = capRequired
+		} else {
+			logrus.Errorf("capabilties requested by user or image are not allowed by default: %q", strings.Join(privCapRequired, ","))
+		}
+	}
+	configSpec.Process.Capabilities.Bounding = defaultCaplist
+	configSpec.Process.Capabilities.Permitted = defaultCaplist
+	configSpec.Process.Capabilities.Inheritable = defaultCaplist
+	configSpec.Process.Capabilities.Effective = defaultCaplist
+	configSpec.Process.Capabilities.Ambient = defaultCaplist
 	if useNotRoot(user.User) {
-		caplist, err = capabilities.MergeCapabilities(bounding, c.CapAdd, c.CapDrop)
+		defaultCaplist, err = capabilities.MergeCapabilities(bounding, c.CapAdd, c.CapDrop)
 		if err != nil {
 			return err
 		}
 	}
-	configSpec.Process.Capabilities.Bounding = caplist
+	configSpec.Process.Capabilities.Bounding = defaultCaplist
 
 	// HANDLE SECCOMP
 	if c.SeccompProfilePath != "unconfined" {
diff --git a/pkg/spec/spec.go b/pkg/spec/spec.go
index a4ae22efd..0e5c3f429 100644
--- a/pkg/spec/spec.go
+++ b/pkg/spec/spec.go
@@ -3,12 +3,14 @@ package createconfig
 import (
 	"strings"
 
+	"github.com/containers/common/pkg/capabilities"
 	"github.com/containers/libpod/libpod"
 	libpodconfig "github.com/containers/libpod/libpod/config"
 	"github.com/containers/libpod/libpod/define"
 	"github.com/containers/libpod/pkg/cgroups"
 	"github.com/containers/libpod/pkg/rootless"
 	"github.com/containers/libpod/pkg/sysinfo"
+	"github.com/containers/libpod/pkg/util"
 	"github.com/docker/go-units"
 	"github.com/opencontainers/runc/libcontainer/user"
 	spec "github.com/opencontainers/runtime-spec/specs-go"
@@ -327,6 +329,18 @@ func (config *CreateConfig) createConfigToOCISpec(runtime *libpod.Runtime, userM
 	}
 	configSpec := g.Config
 
+	// If the container image specifies an label with a
+	// capabilities.ContainerImageLabel then split the comma separated list
+	// of capabilities and record them.  This list indicates the only
+	// capabilities, required to run the container.
+	var capRequired []string
+	for key, val := range config.Labels {
+		if util.StringInSlice(key, capabilities.ContainerImageLabels) {
+			capRequired = strings.Split(val, ",")
+		}
+	}
+	config.Security.CapRequired = capRequired
+
 	if err := config.Security.ConfigureGenerator(&g, &config.User); err != nil {
 		return nil, err
 	}
diff --git a/pkg/specgen/namespaces.go b/pkg/specgen/namespaces.go
index 17b180cde..79a83819a 100644
--- a/pkg/specgen/namespaces.go
+++ b/pkg/specgen/namespaces.go
@@ -3,9 +3,9 @@ package specgen
 import (
 	"os"
 
+	"github.com/containers/common/pkg/capabilities"
 	"github.com/containers/libpod/libpod"
 	"github.com/containers/libpod/libpod/image"
-	"github.com/containers/libpod/pkg/capabilities"
 	"github.com/cri-o/ocicni/pkg/ocicni"
 	spec "github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/opencontainers/runtime-tools/generate"