func setupCapabilities(spec *specs.LinuxSpec, rspec *specs.LinuxRuntimeSpec, context *cli.Context) error { var finalCapList []string // Add all capabilities in privileged mode. privileged := context.Bool("privileged") if privileged { for _, cap := range capability.List() { finalCapList = append(finalCapList, fmt.Sprintf("CAP_%s", strings.ToUpper(cap.String()))) } spec.Linux.Capabilities = finalCapList return nil } capMappings := make(map[string]bool) for _, cap := range capability.List() { key := strings.ToUpper(cap.String()) capMappings[key] = true } addedCapsMap := make(map[string]bool) for _, cap := range defaultCaps { addedCapsMap[cap] = true } addCapList := make([]string, len(defaultCaps)) copy(addCapList, defaultCaps) addCaps := context.StringSlice("cap-add") for _, c := range addCaps { if !capMappings[c] { return fmt.Errorf("Invalid value passed for adding capability") } cp := fmt.Sprintf("CAP_%s", c) if !addedCapsMap[cp] { addCapList = append(addCapList, cp) addedCapsMap[cp] = true } } dropCaps := context.StringSlice("cap-drop") dropCapsMap := make(map[string]bool) for _, c := range dropCaps { if !capMappings[c] { return fmt.Errorf("Invalid value passed for dropping capability") } cp := fmt.Sprintf("CAP_%s", c) dropCapsMap[cp] = true } for _, c := range addCapList { if !dropCapsMap[c] { finalCapList = append(finalCapList, c) } } spec.Linux.Capabilities = finalCapList return nil }
func validateCapabilities(spec *specs.LinuxSpec, rspec *specs.LinuxRuntimeSpec) error { fmt.Println("validating capabilities") capabilityMap := make(map[string]capability.Cap) expectedCaps := make(map[capability.Cap]bool) last := capability.CAP_LAST_CAP // workaround for RHEL6 which has no /proc/sys/kernel/cap_last_cap if last == capability.Cap(63) { last = capability.CAP_BLOCK_SUSPEND } for _, cap := range capability.List() { if cap > last { continue } capKey := fmt.Sprintf("CAP_%s", strings.ToUpper(cap.String())) capabilityMap[capKey] = cap expectedCaps[cap] = false } for _, ec := range spec.Linux.Capabilities { cap := capabilityMap[ec] expectedCaps[cap] = true } processCaps, err := capability.NewPid(1) if err != nil { return err } for _, cap := range capability.List() { expectedSet := expectedCaps[cap] actuallySet := processCaps.Get(capability.EFFECTIVE, cap) if expectedSet != actuallySet { if expectedSet { return fmt.Errorf("Expected Capability %v not set for process", cap.String()) } else { return fmt.Errorf("Unexpected Capability %v set for process", cap.String()) } } } return nil }
func init() { capabilityMap = make(map[string]capability.Cap) last := capability.CAP_LAST_CAP // workaround for RHEL6 which has no /proc/sys/kernel/cap_last_cap if last == capability.Cap(63) { last = capability.CAP_BLOCK_SUSPEND } for _, cap := range capability.List() { if cap > last { continue } capKey := fmt.Sprintf("CAP_%s", strings.ToUpper(cap.String())) capabilityMap[capKey] = cap } }
// SetupPrivileged sets up the priviledge-related fields inside g.spec. func (g *Generator) SetupPrivileged(privileged bool) { if privileged { // Add all capabilities in privileged mode. var finalCapList []string for _, cap := range capability.List() { if g.HostSpecific && cap > lastCap() { continue } finalCapList = append(finalCapList, fmt.Sprintf("CAP_%s", strings.ToUpper(cap.String()))) } g.initSpecLinux() g.spec.Process.Capabilities = finalCapList g.spec.Process.SelinuxLabel = "" g.spec.Process.ApparmorProfile = "" g.spec.Linux.Seccomp = nil } }
func init() { last := capability.CAP_LAST_CAP // hack for RHEL6 which has no /proc/sys/kernel/cap_last_cap if last == capability.Cap(63) { last = capability.CAP_BLOCK_SUSPEND } for _, cap := range capability.List() { if cap > last { continue } capabilityList = append(capabilityList, &CapabilityMapping{ Key: strings.ToUpper(cap.String()), Value: cap, }, ) } }
func checkCap(c string, hostSpecific bool) error { isValid := false cp := strings.ToUpper(c) for _, cap := range capability.List() { if cp == strings.ToUpper(cap.String()) { if hostSpecific && cap > lastCap() { return fmt.Errorf("CAP_%s is not supported on the current host", cp) } isValid = true break } } if !isValid { return fmt.Errorf("Invalid value passed for adding capability") } return nil }
func validateCapabilities(spec *rspec.Spec) error { logrus.Debugf("validating capabilities") last := capability.CAP_LAST_CAP // workaround for RHEL6 which has no /proc/sys/kernel/cap_last_cap if last == capability.Cap(63) { last = capability.CAP_BLOCK_SUSPEND } processCaps, err := capability.NewPid(1) if err != nil { return err } expectedCaps := make(map[string]bool) for _, ec := range spec.Process.Capabilities { expectedCaps[ec] = true } for _, cap := range capability.List() { if cap > last { continue } capKey := fmt.Sprintf("CAP_%s", strings.ToUpper(cap.String())) expectedSet := expectedCaps[capKey] actuallySet := processCaps.Get(capability.EFFECTIVE, cap) if expectedSet != actuallySet { if expectedSet { return fmt.Errorf("Expected Capability %v not set for process", cap.String()) } return fmt.Errorf("Unexpected Capability %v set for process", cap.String()) } } return nil }