From 2a39a6195aeb547c319e7de849f613e95c22c608 Mon Sep 17 00:00:00 2001
From: Giuseppe Scrivano <gscrivan@redhat.com>
Date: Wed, 23 Dec 2020 21:53:55 +0100
Subject: exec: honor --privileged

write the capabilities to the configuration passed to the OCI
runtime.

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
---
 libpod/oci_conmon_linux.go | 7 +++++++
 1 file changed, 7 insertions(+)

(limited to 'libpod')

diff --git a/libpod/oci_conmon_linux.go b/libpod/oci_conmon_linux.go
index 10f97a8f9..199b40097 100644
--- a/libpod/oci_conmon_linux.go
+++ b/libpod/oci_conmon_linux.go
@@ -1193,6 +1193,13 @@ func prepareProcessExec(c *Container, options *ExecOptions, env []string, sessio
 	pspec := c.config.Spec.Process
 	pspec.SelinuxLabel = c.config.ProcessLabel
 	pspec.Args = options.Cmd
+	for _, cap := range options.CapAdd {
+		pspec.Capabilities.Bounding = append(pspec.Capabilities.Bounding, cap)
+		pspec.Capabilities.Effective = append(pspec.Capabilities.Effective, cap)
+		pspec.Capabilities.Inheritable = append(pspec.Capabilities.Inheritable, cap)
+		pspec.Capabilities.Permitted = append(pspec.Capabilities.Permitted, cap)
+		pspec.Capabilities.Ambient = append(pspec.Capabilities.Ambient, cap)
+	}
 	// We need to default this to false else it will inherit terminal as true
 	// from the container.
 	pspec.Terminal = false
-- 
cgit v1.2.3-54-g00ecf