Skip to content

Commit

Permalink
Handle Linux Capabilities from command line
Browse files Browse the repository at this point in the history 
Had to revendor in docker/docker again, which dropped a bunch of packages

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
  • Loading branch information
@rhatdan
rhatdan committed Nov 4, 2017
1 parent 098389d commit 619637a
Show file tree
Hide file tree
Showing 7 changed files with 307 additions and 141 deletions.
29 changes: 25 additions & 4 deletions cmd/kpod/spec.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ import (
"io/ioutil"
"strings"

"github.com/docker/docker/daemon/caps"
spec "github.com/opencontainers/runtime-spec/specs-go"
"github.com/pkg/errors"
"github.com/projectatomic/libpod/libpod"
Expand All @@ -15,6 +16,25 @@ import (
"golang.org/x/sys/unix"
)

func setupCapabilities(config *createConfig, configSpec *spec.Spec) error {
var err error
var caplist []string
if config.privileged {
caplist = caps.GetAllCapabilities()
} else {
caplist, err = caps.TweakCapabilities(defaultCapabilities(), config.capAdd, config.capDrop)
if err != nil {
return err
}
}

configSpec.Process.Capabilities.Bounding = caplist
configSpec.Process.Capabilities.Permitted = caplist
configSpec.Process.Capabilities.Inheritable = caplist
configSpec.Process.Capabilities.Effective = caplist
return nil
}

// Parses information needed to create a container into an OCI runtime spec
func createConfigToOCISpec(config *createConfig) (*spec.Spec, error) {
configSpec := config.GetDefaultLinuxSpec()
Expand All @@ -30,9 +50,6 @@ func createConfigToOCISpec(config *createConfig) (*spec.Spec, error) {

configSpec.Process.Env = config.env

//TODO
// Need examples of capacity additions so I can load that properly

configSpec.Root.Readonly = config.readOnlyRootfs
configSpec.Hostname = config.hostname

Expand Down Expand Up @@ -110,8 +127,12 @@ func createConfigToOCISpec(config *createConfig) (*spec.Spec, error) {
configSpec.Linux.Seccomp = &seccompConfig
}

// HANDLE CAPABILITIES
if err := setupCapabilities(config, &configSpec); err != nil {
return nil, err
}

/*
Capabilities: &configSpec.LinuxCapabilities{
// Rlimits []PosixRlimit // Where does this come from
// Type string
// Hard uint64
Expand Down
20 changes: 20 additions & 0 deletions test/kpod_run.bats
View file
Original file line number Diff line number Diff line change
Expand Up @@ -36,3 +36,23 @@ ALPINE="docker.io/library/alpine:latest"
[ "$status" -eq 0 ]

}

@test "run selinux test" {

run ${KPOD_BINARY} ${KPOD_OPTIONS} run --cap-add all ${ALPINE} cat /proc/self/status
echo "$output"
[ "$status" -eq 0 ]

run ${KPOD_BINARY} ${KPOD_OPTIONS} run --cap-add sys_admin ${ALPINE} cat /proc/self/status
echo "$output"
[ "$status" -eq 0 ]

run ${KPOD_BINARY} ${KPOD_OPTIONS} run --cap-drop all ${ALPINE} cat /proc/self/status
echo "$output"
[ "$status" -eq 0 ]

run ${KPOD_BINARY} ${KPOD_OPTIONS} run --cap-drop setuid ${ALPINE} cat /proc/self/status
echo "$output"
[ "$status" -eq 0 ]

}
131 changes: 131 additions & 0 deletions vendor/github.com/docker/docker/daemon/caps/utils_unix.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

60 changes: 60 additions & 0 deletions vendor/github.com/docker/docker/hack/README.md
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

69 changes: 69 additions & 0 deletions vendor/github.com/docker/docker/hack/integration-cli-on-swarm/README.md
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 2 additions & 0 deletions vendor/github.com/docker/docker/hack/integration-cli-on-swarm/agent/vendor.conf
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading

0 comments on commit 619637a

Please sign in to comment.