func TweakCapabilities(basics, adds, drops []string) ([]string, error) { var ( newCaps []string allCaps = capabilities.GetAllCapabilities() ) // look for invalid cap in the drop list for _, cap := range drops { if strings.ToLower(cap) == "all" { continue } if !utils.StringsContainsNoCase(allCaps, cap) { return nil, fmt.Errorf("Unknown capability: %s", cap) } } // handle --cap-add=all if utils.StringsContainsNoCase(adds, "all") { basics = capabilities.GetAllCapabilities() } if !utils.StringsContainsNoCase(drops, "all") { for _, cap := range basics { // skip `all` aready handled above if strings.ToLower(cap) == "all" { continue } // if we don't drop `all`, add back all the non-dropped caps if !utils.StringsContainsNoCase(drops, cap) { newCaps = append(newCaps, strings.ToUpper(cap)) } } } for _, cap := range adds { // skip `all` aready handled above if strings.ToLower(cap) == "all" { continue } // look for invalid cap in the drop list if !utils.StringsContainsNoCase(allCaps, cap) { return nil, fmt.Errorf("Unknown capability: %s", cap) } // add cap if not already in the list if !utils.StringsContainsNoCase(newCaps, cap) { newCaps = append(newCaps, strings.ToUpper(cap)) } } return newCaps, nil }
func dropList(drops []string) ([]string, error) { if utils.StringsContainsNoCase(drops, "all") { var newCaps []string for _, cap := range capabilities.GetAllCapabilities() { log.Debugf("drop cap %s\n", cap) realCap := capabilities.GetCapability(cap) if realCap == nil { return nil, fmt.Errorf("Invalid capability '%s'", cap) } numCap := fmt.Sprintf("%d", realCap.Value) newCaps = append(newCaps, numCap) } return newCaps, nil } return []string{}, nil }
func TestDropCap(t *testing.T) { var ( container = template.New() opts = []string{ "cap.drop=MKNOD", } ) // enabled all caps like in privileged mode container.Capabilities = capabilities.GetAllCapabilities() if err := ParseConfiguration(container, nil, opts); err != nil { t.Fatal(err) } if hasCapability("MKNOD", container.Capabilities) { t.Fatal("container should not have MKNOD enabled") } }
func (d *driver) setPrivileged(container *libcontainer.Config) (err error) { container.Capabilities = capabilities.GetAllCapabilities() container.Cgroups.AllowAllDevices = true hostDeviceNodes, err := devices.GetHostDeviceNodes() if err != nil { return err } container.MountConfig.DeviceNodes = hostDeviceNodes container.RestrictSys = false if apparmor.IsEnabled() { container.AppArmorProfile = "unconfined" } return nil }
func (d *driver) setPrivileged(container *libcontainer.Config) (err error) { container.Capabilities = capabilities.GetAllCapabilities() container.Cgroups.AllowAllDevices = true hostDeviceNodes, err := devices.GetHostDeviceNodes() if err != nil { return err } container.MountConfig.DeviceNodes = hostDeviceNodes delete(container.Context, "restrictions") if apparmor.IsEnabled() { container.Context["apparmor_profile"] = "unconfined" } return nil }
func GetAllCapabilities() []string { return capabilities.GetAllCapabilities() }