func TweakCapabilities(basics, adds, drops []string) ([]string, error) { var ( newCaps []string allCaps = capabilities.GetAllCapabilities() ) // look for invalid cap in the drop list for _, cap := range drops { if strings.ToLower(cap) == "all" { continue } if !utils.StringsContainsNoCase(allCaps, cap) { return nil, fmt.Errorf("Unknown capability drop: %q", cap) } } // handle --cap-add=all if utils.StringsContainsNoCase(adds, "all") { basics = capabilities.GetAllCapabilities() } if !utils.StringsContainsNoCase(drops, "all") { for _, cap := range basics { // skip `all` aready handled above if strings.ToLower(cap) == "all" { continue } // if we don't drop `all`, add back all the non-dropped caps if !utils.StringsContainsNoCase(drops, cap) { newCaps = append(newCaps, strings.ToUpper(cap)) } } } for _, cap := range adds { // skip `all` aready handled above if strings.ToLower(cap) == "all" { continue } if !utils.StringsContainsNoCase(allCaps, cap) { return nil, fmt.Errorf("Unknown capability to add: %q", cap) } // add cap if not already in the list if !utils.StringsContainsNoCase(newCaps, cap) { newCaps = append(newCaps, strings.ToUpper(cap)) } } return newCaps, nil }
func TestDropCap(t *testing.T) { var ( container = template.New() opts = []string{ "cap.drop=MKNOD", } ) // enabled all caps like in privileged mode container.Capabilities = capabilities.GetAllCapabilities() if err := ParseConfiguration(container, nil, opts); err != nil { t.Fatal(err) } if hasCapability("MKNOD", container.Capabilities) { t.Fatal("container should not have MKNOD enabled") } }
func (d *driver) setPrivileged(container *libcontainer.Config) (err error) { container.Capabilities = capabilities.GetAllCapabilities() container.Cgroups.AllowAllDevices = true hostDeviceNodes, err := devices.GetHostDeviceNodes() if err != nil { return err } container.MountConfig.DeviceNodes = hostDeviceNodes container.RestrictSys = false if apparmor.IsEnabled() { container.AppArmorProfile = "unconfined" } return nil }