Beispiel #1
0
func (d *driver) setPrivileged(container *libcontainer.Container) error {
	container.Capabilities = libcontainer.GetAllCapabilities()
	container.Cgroups.DeviceAccess = true

	delete(container.Context, "restrictions")

	if apparmor.IsEnabled() {
		container.Context["apparmor_profile"] = "unconfined"
	}
	return nil
}
func (d *driver) setPrivileged(container *libcontainer.Container) (err error) {
	container.Capabilities = libcontainer.GetAllCapabilities()
	container.Cgroups.DeviceAccess = true

	delete(container.Context, "restrictions")

	container.OptionalDeviceNodes = nil
	if container.RequiredDeviceNodes, err = nodes.GetHostDeviceNodes(); err != nil {
		return err
	}

	if apparmor.IsEnabled() {
		container.Context["apparmor_profile"] = "unconfined"
	}
	return nil
}
Beispiel #3
0
func TestDropCap(t *testing.T) {
	var (
		container = template.New()
		opts      = []string{
			"cap.drop=MKNOD",
		}
	)
	// enabled all caps like in privileged mode
	container.Capabilities = libcontainer.GetAllCapabilities()
	if err := ParseConfiguration(container, nil, opts); err != nil {
		t.Fatal(err)
	}

	if hasCapability("MKNOD", container.Capabilities) {
		t.Fatal("container should not have MKNOD enabled")
	}
}
Beispiel #4
0
func (d *driver) setPrivileged(container *libcontainer.Container) (err error) {
	container.Capabilities = libcontainer.GetAllCapabilities()
	container.Cgroups.AllowAllDevices = true

	hostDeviceNodes, err := devices.GetHostDeviceNodes()
	if err != nil {
		return err
	}
	container.DeviceNodes = hostDeviceNodes

	delete(container.Context, "restrictions")

	if apparmor.IsEnabled() {
		container.Context["apparmor_profile"] = "unconfined"
	}
	return nil
}