func dropCap(container *libcontainer.Config, context interface{}, value string) error { // If the capability is specified multiple times, remove all instances. for i, capability := range container.Capabilities { if capability == value { container.Capabilities = append(container.Capabilities[:i], container.Capabilities[i+1:]...) } } // The capability wasn't found so we will drop it anyways. return nil }
func (d *driver) setPrivileged(container *libcontainer.Config) (err error) { container.Capabilities = capabilities.GetAllCapabilities() container.Cgroups.AllowAllDevices = true hostDeviceNodes, err := devices.GetHostDeviceNodes() if err != nil { return err } container.MountConfig.DeviceNodes = hostDeviceNodes container.RestrictSys = false if apparmor.IsEnabled() { container.AppArmorProfile = "unconfined" } return nil }
func (d *driver) setPrivileged(container *libcontainer.Config) (err error) { container.Capabilities = capabilities.GetAllCapabilities() container.Cgroups.AllowAllDevices = true hostDeviceNodes, err := devices.GetHostDeviceNodes() if err != nil { return err } container.MountConfig.DeviceNodes = hostDeviceNodes delete(container.Context, "restrictions") if apparmor.IsEnabled() { container.Context["apparmor_profile"] = "unconfined" } return nil }
func addCap(container *libcontainer.Config, context interface{}, value string) error { container.Capabilities = append(container.Capabilities, value) return nil }