server: fix set caps on container create

Signed-off-by: Antonio Murdaca <runcom@redhat.com>
This commit is contained in:
Antonio Murdaca 2017-05-05 12:14:34 +02:00
parent 715785950c
commit 139b16bac2
No known key found for this signature in database
GPG key ID: B2BEAD150DE936B9
7 changed files with 80 additions and 114 deletions

View file

@ -400,11 +400,17 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string,
}
capabilities := linux.GetSecurityContext().GetCapabilities()
toCAPPrefixed := func(cap string) string {
if !strings.HasPrefix(strings.ToLower(cap), "cap_") {
return "CAP_" + cap
}
return cap
}
if capabilities != nil {
addCaps := capabilities.AddCapabilities
if addCaps != nil {
for _, cap := range addCaps {
if err := specgen.AddProcessCapability(cap); err != nil {
if err := specgen.AddProcessCapability(toCAPPrefixed(cap)); err != nil {
return nil, err
}
}
@ -413,7 +419,7 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string,
dropCaps := capabilities.DropCapabilities
if dropCaps != nil {
for _, cap := range dropCaps {
if err := specgen.DropProcessCapability(cap); err != nil {
if err := specgen.DropProcessCapability(toCAPPrefixed(cap)); err != nil {
return nil, err
}
}

View file

@ -51,30 +51,22 @@
"memory_limit_in_bytes": 88000000,
"oom_score_adj": 30
},
"capabilities": {
"add_capabilities": [
"setuid",
"setgid"
],
"drop_capabilities": [
"audit_write",
"audit_read"
]
},
"selinux_options": {
"user": "system_u",
"role": "system_r",
"type": "container_t",
"level": "s0:c4,c5"
},
"user": {
"uid": 5,
"gid": 300,
"additional_gids": [
400,
401,
402
]
"security_context": {
"capabilities": {
"add_capabilities": [
"setuid",
"setgid"
],
"drop_capabilities": [
"audit_read"
]
},
"selinux_options": {
"user": "system_u",
"role": "system_r",
"type": "container_t",
"level": "s0:c4,c5"
}
}
}
}

View file

@ -51,30 +51,22 @@
"memory_limit_in_bytes": 88000000,
"oom_score_adj": 30
},
"capabilities": {
"add_capabilities": [
"setuid",
"setgid"
],
"drop_capabilities": [
"audit_write",
"audit_read"
]
},
"selinux_options": {
"user": "system_u",
"role": "system_r",
"type": "container_t",
"level": "s0:c4,c5"
},
"user": {
"uid": 5,
"gid": 300,
"additional_gids": [
400,
401,
402
]
"security_context": {
"capabilities": {
"add_capabilities": [
"setuid",
"setgid"
],
"drop_capabilities": [
"audit_read"
]
},
"selinux_options": {
"user": "system_u",
"role": "system_r",
"type": "container_t",
"level": "s0:c4,c5"
}
}
}
}

View file

@ -4,7 +4,7 @@
"attempt": 1
},
"image": {
"image": "docker://busybox:latest"
"image": "busybox:latest"
},
"command": [
"/bin/sh", "-c"
@ -53,30 +53,22 @@
"memory_limit_in_bytes": 88000000,
"oom_score_adj": 30
},
"capabilities": {
"add_capabilities": [
"setuid",
"setgid"
],
"drop_capabilities": [
"audit_write",
"audit_read"
]
},
"selinux_options": {
"user": "system_u",
"role": "system_r",
"type": "container_t",
"level": "s0:c4,c5"
},
"user": {
"uid": 5,
"gid": 300,
"additional_gids": [
400,
401,
402
]
"security_context": {
"capabilities": {
"add_capabilities": [
"setuid",
"setgid"
],
"drop_capabilities": [
"audit_read"
]
},
"selinux_options": {
"user": "system_u",
"role": "system_r",
"type": "container_t",
"level": "s0:c4,c5"
}
}
}
}

View file

@ -53,30 +53,22 @@
"memory_limit_in_bytes": 88000000,
"oom_score_adj": 30
},
"capabilities": {
"add_capabilities": [
"setuid",
"setgid"
],
"drop_capabilities": [
"audit_write",
"audit_read"
]
},
"selinux_options": {
"user": "system_u",
"role": "system_r",
"type": "svirt_lxc_net_t",
"level": "s0:c4-c5"
},
"user": {
"uid": 5,
"gid": 300,
"additional_gids": [
400,
401,
402
]
"security_context": {
"capabilities": {
"add_capabilities": [
"setuid",
"setgid"
],
"drop_capabilities": [
"audit_read"
]
},
"selinux_options": {
"user": "system_u",
"role": "system_r",
"type": "svirt_lxc_net_t",
"level": "s0:c4-c5"
}
}
}
}

View file

@ -18,11 +18,5 @@
"log_path": "",
"stdin": false,
"stdin_once": false,
"tty": false,
"linux": {
"user": {
"uid": 0,
"gid": 0
}
}
"tty": false
}

View file

@ -51,14 +51,12 @@
"memory_limit_in_bytes": 88000000,
"oom_score_adj": 30
},
"capabilities": {
"add_capabilities": [
"sys_admin"
]
},
"user": {
"uid": 0,
"gid": 0
"security_context": {
"capabilities": {
"add_capabilities": [
"sys_admin"
]
}
}
}
}