func setupCapabilities(spec *specs.LinuxSpec, rspec *specs.LinuxRuntimeSpec, context *cli.Context) error {
var finalCapList []string
// Add all capabilities in privileged mode.
privileged := context.Bool("privileged")
if privileged {
for _, cap := range capability.List() {
finalCapList = append(finalCapList, fmt.Sprintf("CAP_%s", strings.ToUpper(cap.String())))
}
spec.Linux.Capabilities = finalCapList
return nil
}
capMappings := make(map[string]bool)
for _, cap := range capability.List() {
key := strings.ToUpper(cap.String())
capMappings[key] = true
}
addedCapsMap := make(map[string]bool)
for _, cap := range defaultCaps {
addedCapsMap[cap] = true
}
addCapList := make([]string, len(defaultCaps))
copy(addCapList, defaultCaps)
addCaps := context.StringSlice("cap-add")
for _, c := range addCaps {
if !capMappings[c] {
return fmt.Errorf("Invalid value passed for adding capability")
}
cp := fmt.Sprintf("CAP_%s", c)
if !addedCapsMap[cp] {
addCapList = append(addCapList, cp)
addedCapsMap[cp] = true
}
}
dropCaps := context.StringSlice("cap-drop")
dropCapsMap := make(map[string]bool)
for _, c := range dropCaps {
if !capMappings[c] {
return fmt.Errorf("Invalid value passed for dropping capability")
}
cp := fmt.Sprintf("CAP_%s", c)
dropCapsMap[cp] = true
}
for _, c := range addCapList {
if !dropCapsMap[c] {
finalCapList = append(finalCapList, c)
}
}
spec.Linux.Capabilities = finalCapList
return nil
}
func validateCapabilities(spec *specs.LinuxSpec, rspec *specs.LinuxRuntimeSpec) error {
fmt.Println("validating capabilities")
capabilityMap := make(map[string]capability.Cap)
expectedCaps := make(map[capability.Cap]bool)
last := capability.CAP_LAST_CAP
// workaround for RHEL6 which has no /proc/sys/kernel/cap_last_cap
if last == capability.Cap(63) {
last = capability.CAP_BLOCK_SUSPEND
}
for _, cap := range capability.List() {
if cap > last {
continue
}
capKey := fmt.Sprintf("CAP_%s", strings.ToUpper(cap.String()))
capabilityMap[capKey] = cap
expectedCaps[cap] = false
}
for _, ec := range spec.Linux.Capabilities {
cap := capabilityMap[ec]
expectedCaps[cap] = true
}
processCaps, err := capability.NewPid(1)
if err != nil {
return err
}
for _, cap := range capability.List() {
expectedSet := expectedCaps[cap]
actuallySet := processCaps.Get(capability.EFFECTIVE, cap)
if expectedSet != actuallySet {
if expectedSet {
return fmt.Errorf("Expected Capability %v not set for process", cap.String())
} else {
return fmt.Errorf("Unexpected Capability %v set for process", cap.String())
}
}
}
return nil
}
func init() {
capabilityMap = make(map[string]capability.Cap)
last := capability.CAP_LAST_CAP
// workaround for RHEL6 which has no /proc/sys/kernel/cap_last_cap
if last == capability.Cap(63) {
last = capability.CAP_BLOCK_SUSPEND
}
for _, cap := range capability.List() {
if cap > last {
continue
}
capKey := fmt.Sprintf("CAP_%s", strings.ToUpper(cap.String()))
capabilityMap[capKey] = cap
}
}
// SetupPrivileged sets up the priviledge-related fields inside g.spec.
func (g *Generator) SetupPrivileged(privileged bool) {
if privileged {
// Add all capabilities in privileged mode.
var finalCapList []string
for _, cap := range capability.List() {
if g.HostSpecific && cap > lastCap() {
continue
}
finalCapList = append(finalCapList, fmt.Sprintf("CAP_%s", strings.ToUpper(cap.String())))
}
g.initSpecLinux()
g.spec.Process.Capabilities = finalCapList
g.spec.Process.SelinuxLabel = ""
g.spec.Process.ApparmorProfile = ""
g.spec.Linux.Seccomp = nil
}
}
func init() {
last := capability.CAP_LAST_CAP
// hack for RHEL6 which has no /proc/sys/kernel/cap_last_cap
if last == capability.Cap(63) {
last = capability.CAP_BLOCK_SUSPEND
}
for _, cap := range capability.List() {
if cap > last {
continue
}
capabilityList = append(capabilityList,
&CapabilityMapping{
Key: strings.ToUpper(cap.String()),
Value: cap,
},
)
}
}
func checkCap(c string, hostSpecific bool) error {
isValid := false
cp := strings.ToUpper(c)
for _, cap := range capability.List() {
if cp == strings.ToUpper(cap.String()) {
if hostSpecific && cap > lastCap() {
return fmt.Errorf("CAP_%s is not supported on the current host", cp)
}
isValid = true
break
}
}
if !isValid {
return fmt.Errorf("Invalid value passed for adding capability")
}
return nil
}
func validateCapabilities(spec *rspec.Spec) error {
logrus.Debugf("validating capabilities")
last := capability.CAP_LAST_CAP
// workaround for RHEL6 which has no /proc/sys/kernel/cap_last_cap
if last == capability.Cap(63) {
last = capability.CAP_BLOCK_SUSPEND
}
processCaps, err := capability.NewPid(1)
if err != nil {
return err
}
expectedCaps := make(map[string]bool)
for _, ec := range spec.Process.Capabilities {
expectedCaps[ec] = true
}
for _, cap := range capability.List() {
if cap > last {
continue
}
capKey := fmt.Sprintf("CAP_%s", strings.ToUpper(cap.String()))
expectedSet := expectedCaps[capKey]
actuallySet := processCaps.Get(capability.EFFECTIVE, cap)
if expectedSet != actuallySet {
if expectedSet {
return fmt.Errorf("Expected Capability %v not set for process", cap.String())
}
return fmt.Errorf("Unexpected Capability %v set for process", cap.String())
}
}
return nil
}
