From e7fbf329c206397b77f39b60e1bed0c8b9de45c6 Mon Sep 17 00:00:00 2001
From: Daniel J Walsh <dwalsh@redhat.com>
Date: Fri, 24 Aug 2018 05:47:37 -0400
Subject: Reveal information about container capabilities

I am often asked about the list of capabilities availabel to a container.
We should be listing this data in the inspect command for effective
capabilities and the bounding set.

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>

Closes: #1335
Approved by: TomSweeneyRedHat
---
 docs/podman-inspect.1.md    | 5 +++++
 libpod/container_inspect.go | 2 ++
 pkg/inspect/inspect.go      | 2 ++
 3 files changed, 9 insertions(+)

diff --git a/docs/podman-inspect.1.md b/docs/podman-inspect.1.md
index 47a189e39..ef68e929c 100644
--- a/docs/podman-inspect.1.md
+++ b/docs/podman-inspect.1.md
@@ -96,6 +96,11 @@ overlay
 size:   4405240
 ```
 
+```
+podman inspect --latest --format {{.EffectiveCaps}}
+[CAP_CHOWN CAP_DAC_OVERRIDE CAP_FSETID CAP_FOWNER CAP_MKNOD CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SETFCAP CAP_SETPCAP CAP_NET_BIND_SERVICE CAP_SYS_CHROOT CAP_KILL CAP_AUDIT_WRITE]
+```
+
 ## SEE ALSO
 podman(1)
 
diff --git a/libpod/container_inspect.go b/libpod/container_inspect.go
index 7ed9f9be9..f2e54aeef 100644
--- a/libpod/container_inspect.go
+++ b/libpod/container_inspect.go
@@ -79,6 +79,8 @@ func (c *Container) getContainerInspectData(size bool, driverData *inspect.Data)
 		Name:            config.Name,
 		Driver:          driverData.Name,
 		MountLabel:      config.MountLabel,
+		EffectiveCaps:   spec.Process.Capabilities.Effective,
+		BoundingCaps:    spec.Process.Capabilities.Bounding,
 		ProcessLabel:    spec.Process.SelinuxLabel,
 		AppArmorProfile: spec.Process.ApparmorProfile,
 		ExecIDs:         execIDs,
diff --git a/pkg/inspect/inspect.go b/pkg/inspect/inspect.go
index b9230027c..62ba53147 100644
--- a/pkg/inspect/inspect.go
+++ b/pkg/inspect/inspect.go
@@ -161,6 +161,8 @@ type ContainerInspectData struct {
 	MountLabel      string                 `json:"MountLabel"`
 	ProcessLabel    string                 `json:"ProcessLabel"`
 	AppArmorProfile string                 `json:"AppArmorProfile"`
+	EffectiveCaps   []string               `json:"EffectiveCaps"`
+	BoundingCaps    []string               `json:"BoundingCaps"`
 	ExecIDs         []string               `json:"ExecIDs"`
 	GraphDriver     *Data                  `json:"GraphDriver"`
 	SizeRw          int64                  `json:"SizeRw,omitempty"`
-- 
cgit v1.2.3-54-g00ecf