From 619637a9197877f3bda54648f9fabc4af90cf9c2 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Fri, 3 Nov 2017 19:44:23 +0000 Subject: Handle Linux Capabilities from command line Had to revendor in docker/docker again, which dropped a bunch of packages Signed-off-by: Daniel J Walsh --- cmd/kpod/spec.go | 29 +++++++++++++++++++++++++---- 1 file changed, 25 insertions(+), 4 deletions(-) (limited to 'cmd/kpod/spec.go') diff --git a/cmd/kpod/spec.go b/cmd/kpod/spec.go index d30c0d1a5..6041f301a 100644 --- a/cmd/kpod/spec.go +++ b/cmd/kpod/spec.go @@ -6,6 +6,7 @@ import ( "io/ioutil" "strings" + "github.com/docker/docker/daemon/caps" spec "github.com/opencontainers/runtime-spec/specs-go" "github.com/pkg/errors" "github.com/projectatomic/libpod/libpod" @@ -15,6 +16,25 @@ import ( "golang.org/x/sys/unix" ) +func setupCapabilities(config *createConfig, configSpec *spec.Spec) error { + var err error + var caplist []string + if config.privileged { + caplist = caps.GetAllCapabilities() + } else { + caplist, err = caps.TweakCapabilities(defaultCapabilities(), config.capAdd, config.capDrop) + if err != nil { + return err + } + } + + configSpec.Process.Capabilities.Bounding = caplist + configSpec.Process.Capabilities.Permitted = caplist + configSpec.Process.Capabilities.Inheritable = caplist + configSpec.Process.Capabilities.Effective = caplist + return nil +} + // Parses information needed to create a container into an OCI runtime spec func createConfigToOCISpec(config *createConfig) (*spec.Spec, error) { configSpec := config.GetDefaultLinuxSpec() @@ -30,9 +50,6 @@ func createConfigToOCISpec(config *createConfig) (*spec.Spec, error) { configSpec.Process.Env = config.env - //TODO - // Need examples of capacity additions so I can load that properly - configSpec.Root.Readonly = config.readOnlyRootfs configSpec.Hostname = config.hostname @@ -110,8 +127,12 @@ func createConfigToOCISpec(config *createConfig) (*spec.Spec, error) { configSpec.Linux.Seccomp = &seccompConfig } + // HANDLE CAPABILITIES + if err := setupCapabilities(config, &configSpec); err != nil { + return nil, err + } + /* - Capabilities: &configSpec.LinuxCapabilities{ // Rlimits []PosixRlimit // Where does this come from // Type string // Hard uint64 -- cgit v1.2.3-54-g00ecf