8 files changed, 294 insertions, 10 deletions
diff --git a/pkg/adapter/sigproxy_linux.go b/pkg/adapter/sigproxy_linux.go
index 35745a6aa..8295e4250 100644
--- a/pkg/adapter/sigproxy_linux.go
+++ b/pkg/adapter/sigproxy_linux.go
@@ -5,7 +5,7 @@ import (
 	"syscall"
 
 	"github.com/containers/libpod/libpod"
-	"github.com/docker/docker/pkg/signal"
+	"github.com/containers/libpod/pkg/signal"
 	"github.com/sirupsen/logrus"
 )
 
@@ -20,7 +20,7 @@ func ProxySignals(ctr *libpod.Container) {
 		for s := range sigBuffer {
 			// Ignore SIGCHLD and SIGPIPE - these are mostly likely
 			// intended for the podman command itself.
-			if s == signal.SIGCHLD || s == signal.SIGPIPE {
+			if s == syscall.SIGCHLD || s == syscall.SIGPIPE {
 				continue
 			}
 
diff --git a/pkg/adapter/terminal.go b/pkg/adapter/terminal.go
index 51b747d23..499e77def 100644
--- a/pkg/adapter/terminal.go
+++ b/pkg/adapter/terminal.go
@@ -3,9 +3,9 @@ package adapter
 import (
 	"context"
 	"os"
-	gosignal "os/signal"
+	"os/signal"
 
-	"github.com/docker/docker/pkg/signal"
+	lsignal "github.com/containers/libpod/pkg/signal"
 	"github.com/docker/docker/pkg/term"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
@@ -33,7 +33,7 @@ func getResize() *remotecommand.TerminalSize {
 // Helper for prepareAttach - set up a goroutine to generate terminal resize events
 func resizeTty(ctx context.Context, resize chan remotecommand.TerminalSize) {
 	sigchan := make(chan os.Signal, 1)
-	gosignal.Notify(sigchan, signal.SIGWINCH)
+	signal.Notify(sigchan, lsignal.SIGWINCH)
 	go func() {
 		defer close(resize)
 		// Update the terminal size immediately without waiting
diff --git a/pkg/api/handlers/containers_create.go b/pkg/api/handlers/containers_create.go
index 4781b23bc..48f0de94d 100644
--- a/pkg/api/handlers/containers_create.go
+++ b/pkg/api/handlers/containers_create.go
@@ -12,9 +12,9 @@ import (
 	image2 "github.com/containers/libpod/libpod/image"
 	"github.com/containers/libpod/pkg/api/handlers/utils"
 	"github.com/containers/libpod/pkg/namespaces"
+	"github.com/containers/libpod/pkg/signal"
 	createconfig "github.com/containers/libpod/pkg/spec"
 	"github.com/containers/storage"
-	"github.com/docker/docker/pkg/signal"
 	"github.com/gorilla/schema"
 	"github.com/pkg/errors"
 	log "github.com/sirupsen/logrus"
diff --git a/pkg/capabilities/capabilities.go b/pkg/capabilities/capabilities.go
new file mode 100644
index 000000000..ea22498b8
--- /dev/null
+++ b/pkg/capabilities/capabilities.go
@@ -0,0 +1,129 @@
+package capabilities
+
+// Copyright 2013-2018 Docker, Inc.
+
+// NOTE: this package has been copied from github.com/docker/docker but been
+//       changed significantly to fit the needs of libpod.
+
+import (
+	"strings"
+
+	"github.com/containers/libpod/pkg/util"
+	"github.com/pkg/errors"
+	"github.com/syndtr/gocapability/capability"
+)
+
+var (
+	// Used internally and populated during init().
+	capabilityList []string
+
+	// ErrUnknownCapability is thrown when an unknown capability is processed.
+	ErrUnknownCapability = errors.New("unknown capability")
+)
+
+// All is a special value used to add/drop all known capababilities.
+// Useful on the CLI for `--cap-add=all` etc.
+const All = "ALL"
+
+func init() {
+	last := capability.CAP_LAST_CAP
+	// hack for RHEL6 which has no /proc/sys/kernel/cap_last_cap
+	if last == capability.Cap(63) {
+		last = capability.CAP_BLOCK_SUSPEND
+	}
+	for _, cap := range capability.List() {
+		if cap > last {
+			continue
+		}
+		capabilityList = append(capabilityList, "CAP_"+strings.ToUpper(cap.String()))
+	}
+}
+
+// AllCapabilities returns all known capabilities.
+func AllCapabilities() []string {
+	return capabilityList
+}
+
+// normalizeCapabilities normalizes caps by adding a "CAP_" prefix (if not yet
+// present).
+func normalizeCapabilities(caps []string) ([]string, error) {
+	normalized := make([]string, len(caps))
+	for i, c := range caps {
+		c = strings.ToUpper(c)
+		if c == All {
+			normalized = append(normalized, c)
+			continue
+		}
+		if !strings.HasPrefix(c, "CAP_") {
+			c = "CAP_" + c
+		}
+		if !util.StringInSlice(c, capabilityList) {
+			return nil, errors.Wrapf(ErrUnknownCapability, "%q", c)
+		}
+		normalized[i] = c
+	}
+	return normalized, nil
+}
+
+// ValidateCapabilities validates if caps only contains valid capabilities.
+func ValidateCapabilities(caps []string) error {
+	for _, c := range caps {
+		if !util.StringInSlice(c, capabilityList) {
+			return errors.Wrapf(ErrUnknownCapability, "%q", c)
+		}
+	}
+	return nil
+}
+
+// MergeCapabilities computes a set of capabilities by adding capapbitilities
+// to or dropping them from base.
+//
+// Note that "ALL" will cause all known capabilities to be added/dropped but
+// the ones specified to be dropped/added.
+func MergeCapabilities(base, adds, drops []string) ([]string, error) {
+	if len(adds) == 0 && len(drops) == 0 {
+		// Nothing to tweak; we're done
+		return base, nil
+	}
+
+	capDrop, err := normalizeCapabilities(drops)
+	if err != nil {
+		return nil, err
+	}
+	capAdd, err := normalizeCapabilities(adds)
+	if err != nil {
+		return nil, err
+	}
+
+	// Make sure that capDrop and capAdd are distinct sets.
+	for _, drop := range capDrop {
+		if util.StringInSlice(drop, capAdd) {
+			return nil, errors.Errorf("capability %q cannot be dropped and added", drop)
+		}
+	}
+
+	var caps []string
+
+	switch {
+	case util.StringInSlice(All, capAdd):
+		// Add all capabilities except ones on capDrop
+		for _, c := range capabilityList {
+			if !util.StringInSlice(c, capDrop) {
+				caps = append(caps, c)
+			}
+		}
+	case util.StringInSlice(All, capDrop):
+		// "Drop" all capabilities; use what's in capAdd instead
+		caps = capAdd
+	default:
+		// First drop some capabilities
+		for _, c := range base {
+			if !util.StringInSlice(c, capDrop) {
+				caps = append(caps, c)
+			}
+		}
+		// Then add the list of capabilities from capAdd
+		caps = append(caps, capAdd...)
+	}
+	return caps, nil
+}
diff --git a/pkg/signal/signal_linux.go b/pkg/signal/signal_linux.go
new file mode 100644
index 000000000..3d549898f
--- /dev/null
+++ b/pkg/signal/signal_linux.go
@@ -0,0 +1,127 @@
+// +build linux
+
+// Signal handling for Linux only.
+package signal
+
+// Copyright 2013-2018 Docker, Inc.
+
+// NOTE: this package has originally been copied from github.com/docker/docker.
+
+import (
+	"fmt"
+	"os"
+	"os/signal"
+	"strconv"
+	"strings"
+	"syscall"
+
+	"golang.org/x/sys/unix"
+)
+
+const (
+	sigrtmin = 34
+	sigrtmax = 64
+
+	SIGWINCH = syscall.SIGWINCH // For cross-compilation with Windows
+)
+
+// signalMap is a map of Linux signals.
+var signalMap = map[string]syscall.Signal{
+	"ABRT":     unix.SIGABRT,
+	"ALRM":     unix.SIGALRM,
+	"BUS":      unix.SIGBUS,
+	"CHLD":     unix.SIGCHLD,
+	"CLD":      unix.SIGCLD,
+	"CONT":     unix.SIGCONT,
+	"FPE":      unix.SIGFPE,
+	"HUP":      unix.SIGHUP,
+	"ILL":      unix.SIGILL,
+	"INT":      unix.SIGINT,
+	"IO":       unix.SIGIO,
+	"IOT":      unix.SIGIOT,
+	"KILL":     unix.SIGKILL,
+	"PIPE":     unix.SIGPIPE,
+	"POLL":     unix.SIGPOLL,
+	"PROF":     unix.SIGPROF,
+	"PWR":      unix.SIGPWR,
+	"QUIT":     unix.SIGQUIT,
+	"SEGV":     unix.SIGSEGV,
+	"STKFLT":   unix.SIGSTKFLT,
+	"STOP":     unix.SIGSTOP,
+	"SYS":      unix.SIGSYS,
+	"TERM":     unix.SIGTERM,
+	"TRAP":     unix.SIGTRAP,
+	"TSTP":     unix.SIGTSTP,
+	"TTIN":     unix.SIGTTIN,
+	"TTOU":     unix.SIGTTOU,
+	"URG":      unix.SIGURG,
+	"USR1":     unix.SIGUSR1,
+	"USR2":     unix.SIGUSR2,
+	"VTALRM":   unix.SIGVTALRM,
+	"WINCH":    unix.SIGWINCH,
+	"XCPU":     unix.SIGXCPU,
+	"XFSZ":     unix.SIGXFSZ,
+	"RTMIN":    sigrtmin,
+	"RTMIN+1":  sigrtmin + 1,
+	"RTMIN+2":  sigrtmin + 2,
+	"RTMIN+3":  sigrtmin + 3,
+	"RTMIN+4":  sigrtmin + 4,
+	"RTMIN+5":  sigrtmin + 5,
+	"RTMIN+6":  sigrtmin + 6,
+	"RTMIN+7":  sigrtmin + 7,
+	"RTMIN+8":  sigrtmin + 8,
+	"RTMIN+9":  sigrtmin + 9,
+	"RTMIN+10": sigrtmin + 10,
+	"RTMIN+11": sigrtmin + 11,
+	"RTMIN+12": sigrtmin + 12,
+	"RTMIN+13": sigrtmin + 13,
+	"RTMIN+14": sigrtmin + 14,
+	"RTMIN+15": sigrtmin + 15,
+	"RTMAX-14": sigrtmax - 14,
+	"RTMAX-13": sigrtmax - 13,
+	"RTMAX-12": sigrtmax - 12,
+	"RTMAX-11": sigrtmax - 11,
+	"RTMAX-10": sigrtmax - 10,
+	"RTMAX-9":  sigrtmax - 9,
+	"RTMAX-8":  sigrtmax - 8,
+	"RTMAX-7":  sigrtmax - 7,
+	"RTMAX-6":  sigrtmax - 6,
+	"RTMAX-5":  sigrtmax - 5,
+	"RTMAX-4":  sigrtmax - 4,
+	"RTMAX-3":  sigrtmax - 3,
+	"RTMAX-2":  sigrtmax - 2,
+	"RTMAX-1":  sigrtmax - 1,
+	"RTMAX":    sigrtmax,
+}
+
+// ParseSignal translates a string to a valid syscall signal.
+// It returns an error if the signal map doesn't include the given signal.
+func ParseSignal(rawSignal string) (syscall.Signal, error) {
+	s, err := strconv.Atoi(rawSignal)
+	if err == nil {
+		if s == 0 {
+			return -1, fmt.Errorf("invalid signal: %s", rawSignal)
+		}
+		return syscall.Signal(s), nil
+	}
+	signal, ok := signalMap[strings.TrimPrefix(strings.ToUpper(rawSignal), "SIG")]
+	if !ok {
+		return -1, fmt.Errorf("invalid signal: %s", rawSignal)
+	}
+	return signal, nil
+}
+
+// CatchAll catches all signals and relays them to the specified channel.
+func CatchAll(sigc chan os.Signal) {
+	var handledSigs []os.Signal
+	for _, s := range signalMap {
+		handledSigs = append(handledSigs, s)
+	}
+	signal.Notify(sigc, handledSigs...)
+}
+
+// StopCatch stops catching the signals and closes the specified channel.
+func StopCatch(sigc chan os.Signal) {
+	signal.Stop(sigc)
+	close(sigc)
+}
diff --git a/pkg/signal/signal_unsupported.go b/pkg/signal/signal_unsupported.go
new file mode 100644
index 000000000..0a92a5b3a
--- /dev/null
+++ b/pkg/signal/signal_unsupported.go
@@ -0,0 +1,28 @@
+// +build !linux
+
+// Signal handling for Linux only.
+package signal
+
+import (
+	"fmt"
+	"os"
+	"syscall"
+)
+
+const SIGWINCH = syscall.Signal(0xff)
+
+// ParseSignal translates a string to a valid syscall signal.
+// It returns an error if the signal map doesn't include the given signal.
+func ParseSignal(rawSignal string) (syscall.Signal, error) {
+	return 0, fmt.Errorf("unsupported on non-linux platforms")
+}
+
+// CatchAll catches all signals and relays them to the specified channel.
+func CatchAll(sigc chan os.Signal) {
+	panic("Unsupported on non-linux platforms")
+}
+
+// StopCatch stops catching the signals and closes the specified channel.
+func StopCatch(sigc chan os.Signal) {
+	panic("Unsupported on non-linux platforms")
+}
diff --git a/pkg/spec/security.go b/pkg/spec/security.go
index 372fe87c6..3bad9f97a 100644
--- a/pkg/spec/security.go
+++ b/pkg/spec/security.go
@@ -5,7 +5,7 @@ import (
 	"strings"
 
 	"github.com/containers/libpod/libpod"
-	"github.com/docker/docker/oci/caps"
+	"github.com/containers/libpod/pkg/capabilities"
 	"github.com/opencontainers/runtime-tools/generate"
 	"github.com/opencontainers/selinux/go-selinux/label"
 	"github.com/pkg/errors"
@@ -118,7 +118,7 @@ func (c *SecurityConfig) ConfigureGenerator(g *generate.Generator, user *UserCon
 	if useNotRoot(user.User) {
 		configSpec.Process.Capabilities.Bounding = caplist
 	}
-	caplist, err = caps.TweakCapabilities(configSpec.Process.Capabilities.Bounding, c.CapAdd, c.CapDrop, nil, false)
+	caplist, err = capabilities.MergeCapabilities(configSpec.Process.Capabilities.Bounding, c.CapAdd, c.CapDrop)
 	if err != nil {
 		return err
 	}
@@ -129,7 +129,7 @@ func (c *SecurityConfig) ConfigureGenerator(g *generate.Generator, user *UserCon
 	configSpec.Process.Capabilities.Effective = caplist
 	configSpec.Process.Capabilities.Ambient = caplist
 	if useNotRoot(user.User) {
-		caplist, err = caps.TweakCapabilities(bounding, c.CapAdd, c.CapDrop, nil, false)
+		caplist, err = capabilities.MergeCapabilities(bounding, c.CapAdd, c.CapDrop)
 		if err != nil {
 			return err
 		}
diff --git a/pkg/util/utils.go b/pkg/util/utils.go
index 6aa3c221e..4a52ea68d 100644
--- a/pkg/util/utils.go
+++ b/pkg/util/utils.go
@@ -18,9 +18,9 @@ import (
 	"github.com/containers/libpod/pkg/errorhandling"
 	"github.com/containers/libpod/pkg/namespaces"
 	"github.com/containers/libpod/pkg/rootless"
+	"github.com/containers/libpod/pkg/signal"
 	"github.com/containers/storage"
 	"github.com/containers/storage/pkg/idtools"
-	"github.com/docker/docker/pkg/signal"
 	v1 "github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"